On July 1, 2021, the California Department of Public Health (“CDPH”) issued new regulations[1] (the “Regulations”) effective immediately that more narrowly limit the circumstances under which instances of unauthorized access to medical information have to be reported to CDPH.  The new regulations also give CDPH more discretion to adjust penalties for violations.  The Regulations complement Section 1280.15 of the Health and Safety Code (“Section 1280.15”) requiring state-licensed clinics, health facilities, home health agencies, and hospices to prevent any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information, and to report any unauthorized access, use or disclosure to the Department no later than fifteen (15) business days after the breach was detected.

Continue Reading California Issues New Health Facility Breach Reporting Requirements

According to a February 12, 2019 Press Release from Protenus, a developer of analytics for patient privacy monitoring and compliance, 15,085,302 patient records were breached in 2018 – a startling number made even more startling by the fact that the number of breached patient records in 2018 is three times greater than the number of records breached in 2017.

As evidenced by the Protenus data and information reported by the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”), a growing number of these breaches relate to third-party hacking, ransomware, and related malware incidents (collectively, “Hacking/IT Incidents”). As such, the OCR data shines a bright light on the obvious difficulties that healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).

The following examines representative HIPAA settlements and rulings from 2018, and considers the 2018 breach statistics and the growing security risk associated with Hacking/IT Incidents.
Continue Reading Cybersecurity, Inside Jobs, Outside Jobs, and HIPAA