Last week, the Office for Civil Rights (“OCR”) announced a settlement with Lafourche Medical Group (“LMG”), a Louisiana medical group, for a 2021 phishing attack and breach that affected the protected health information (“PHI”) of 34,862 individuals. In addition to paying $480,000 to OCR, LMG agreed to a corrective action plan that will include implementing security measures to protect electronic PHI, developing written policies and procedures to comply with HIPAA rules, and training staff members.Continue Reading OCR Takes Enforcement Action for Phishing Attack
OCR Issues Guidance to Providers and Patients on Telehealth Privacy and Security
Last week, the Office for Civil Rights (“OCR”) issued two pieces of guidance on the privacy and security of protected health information (“PHI”) when using telehealth services. One of the documents is intended to help health care providers explain to patients, in plain language, the privacy and security risks of using remote communication technologies for telehealth (the “Provider Telehealth Guidance”). The other provides tips to patients on how to safeguard their PHI when using video apps and other technologies for telehealth (the “Patient Telehealth Guidance”).Continue Reading OCR Issues Guidance to Providers and Patients on Telehealth Privacy and Security
FTC Announces Enforcement Action Against Ovulation Tracking App Premom
On May 17, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against Illinois-based Easy Healthcare Corporation (“Easy Healthcare”), which operates the Premom application, for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Easy Healthcare has developed, advertised, and distributed a mobile application called the Premom Ovulation Tracker (“Premom”) that allows users to input and track various types of personal and health information. In the complaint (“Complaint”), the FTC alleges that Easy Healthcare deceived users by disclosing users’ sensitive health data with third parties and failed to notify consumers of these unauthorized disclosures in violation of the HBNR. The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, imposes a civil penalty of $100,000 and prohibits Easy Healthcare from sharing user personal health data with third parties for advertising, among other requirements. As part of a related action, Easy Healthcare has agreed to pay an additional $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective laws.Continue Reading FTC Announces Enforcement Action Against Ovulation Tracking App Premom
FTC Enforcement Against Sharing Consumer Health Information Continues
On March 2, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action against California-based online counseling service BetterHelp, Inc. (“BetterHelp”) for allegedly sharing consumers’ health information, including sensitive information about mental health challenges, for advertising purposes in violation of Section 5 of the FTC Act.
This latest enforcement action comes just one month after
FTC Imposes $1.5 Million Civil Penalty in First-of-Its-Kind Health Breach Notification Rule Enforcement Action
On February 1, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against California-based telehealth and prescription drug discount provider GoodRx Holdings, Inc. (“GoodRx”) for allegedly violating section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). The proposed order (“Proposed Order”), which was brought by the U.S. Department
HHS OCR Issues a Bulletin on HIPAA Requirements for Tracking Health Information When Using Online Technologies
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) recently issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on regulated entities under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. The bulletin defines
HHS Proposes Significant Amendments to Part 2 Regulations Governing the Confidentiality of Substance Use Disorder Records
Earlier this week, the United States Department of Health and Human Services (“HHS”) released a Notice of Proposed Rulemaking (“NPRM”) that proposes to make sweeping changes to regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records. These modifications, which implement provisions of section 3221 of the Coronavirus
Biden Acts to Protect Reproductive Health Care Services: Executive Order and Privacy Guidance
The Biden Administration is taking action to support access to reproductive health care in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. This is occurring as some states seek to restrict or criminalize abortion services. So far, there has been action by the White House, through an Executive Order, and by the U.S. Department of Health and Human Services (HHS), through guidance on HIPAA and privacy. Continue Reading Biden Acts to Protect Reproductive Health Care Services: Executive Order and Privacy Guidance
Increased Cyber Risk for Health Care Organizations Due to the Russia-Ukraine Conflict
The Russia-Ukraine conflict is increasing the risk of ransomware attacks and other cyber threats for U.S. companies, and those in the health care industry may be targeted. In a recent analyst note from the Department of Health & Human Services (“HHS”), HHS describes the cyber capabilities of Russia, one of the world’s major cyberpowers, and analyzes two malware variants most likely to impact the U.S. health care and public health sector.
Continue Reading Increased Cyber Risk for Health Care Organizations Due to the Russia-Ukraine Conflict
OCR Announces First Enforcement Action Under Its Right to Access Initiative
On Monday, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) announced an enforcement action against Bayfront Health St. Petersburg (“Bayfront”) for allegedly failing to provide a mother timely access to her unborn child’s prenatal medical records. The enforcement action is noteworthy in that it marks OCR’s first