Healthcare Regulation News

In a significant development in the realm of patient privacy rights, a group of 24 attorneys general, led by New York Attorney General Letitia James and California Attorney General Rob Bonta, submitted a comment letter on June 16, endorsing expanded federal protections for patients’ reproductive health information. Their support is a response to amendments proposed by the Biden administration to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in April. “While anti-choice state legislatures across the nation are stripping away our reproductive freedom and seeking access to health care data, it is imperative that we take every measure…

In a significant move to keep pace with the rapidly advancing digital health industry, the Federal Trade Commission (FTC) has taken bold strides toward updating the Health Breach Notification Rule (HBNR). As health applications and fitness trackers increasingly weave themselves into the fabric of our everyday lives, the FTC’s proposed amendments reflect an urgent need to adapt the HBNR to the challenges and realities of today’s dynamic digital health landscape. Currently, the HBNR mandates that suppliers of personal health records (PHR) and associated parties, not covered by the Health Insurance Portability and Accountability Act (HIPAA), are required to report breaches…

Recently, the U.S. Food and Drug Administration (FDA) has shared an update addressing reports of squamous cell carcinoma (SCC), a relatively rare cancer form, found in the scar tissue (capsule) developing around breast implants. This important update follows a safety communication in September 2022, which initially alerted the public to the presence of SCC and various lymphomas in the tissue around breast implants, raising concerns among patients and healthcare providers alike. Breast implants, not intended to be permanent fixtures, function as medical devices implanted beneath the breast tissue or chest muscle for the purpose of enlarging the breast size (augmentation)…

The Centers for Medicare & Medicaid Services (CMS) has launched an investigation into Medicare Advantage Organizations (MAOs) to recoup a staggering $4.7 billion in overpayments. MAOs have long been accused of misusing taxpayer dollars, leading to calls for greater oversight of the programs. Long-standing allegations of payment abuses in the MA program, particularly those connected to risk adjustments, have alarmed regulators. Millions of Americans are covered by the program, which pays MAOs capitated rates and risk-adjusted payments to increase payments to plans for sicker members. Federal officials claim that this structure provides health plans with a financial incentive to misrepresent…

An analysis by the Commonwealth Fund has revealed that people in the United States experience shorter life expectancies and poorer overall health compared to those in other high-income countries, even though the U.S. spends approximately 18 percent of its gross domestic product on health care. The US Health Care from a Global Perspective report is published every year by the Commonwealth Fund. This report assesses the American health spending, outcomes, status, and service use by conducting a cross-national comparison of the health system performance. Data sources for this comparison include the Organisation for Economic Cooperation and Development (OECD) which has…

U.S. Senators Bill Cassidy, M.D. (R-LA), Richard Blumenthal (D-CT), and U.S. Representatives Brad Wenstrup, D.P.M. (R-OH-02) and John Larson (D-CT-01) have reintroduced bipartisan, bicameral legislation that aims to improve access to affordable outpatient surgical care for Medicare beneficiaries. The Outpatient Surgery Quality and Access Act is designed to eliminate copay penalties, address reimbursement gaps, and remove other barriers that limit seniors’ access to Ambulatory Surgery Centers (ASCs). According to projections, ASCs offer many vital outpatient services at low prices, and their increased use is projected to save Medicare billions of dollars in the coming years. However, current restrictions and misaligned…

On Tuesday, the release of a $1.7 trillion year-end spending bill was announced, aiming to prevent a government shutdown. The bill includes several healthcare provisions, most notably the extension of telehealth and hospital-at-home waivers and the reduction of the 2023 Medicare payment cuts from 4.5 percent to 2 percent. Telehealth supporters have won a major victory with the passing of this new bill. This bill extends the telehealth-related regulatory flexibilities for Medicare beneficiaries, which were put into action during the COVID-19 pandemic, for two years. Before this bill, these flexibilities were only set to remain in place for five months…

An omnibus appropriations bill that would fund the government through September 30, 2023, has been released by the House and Senate Appropriations Committees. The bill, which clocks in at over 4,000 pages, contains a number of provisions that will affect healthcare, such as medical device security requirements for manufacturers. Lawmakers and healthcare leaders have been advocating for more guidance and regulations in the area of medical device security. With healthcare organizations managing thousands of internet-connected medical devices, the potential for security risks is a genuine concern. The industry’s reliance on legacy systems, combined with an amplified focus on cybersecurity by…

The Secretary of the Department of Health and Human Services (HHS) has proposed a new rule outlining standards for healthcare attachments transactions and electronic signatures. This measure is in line with the Administrative Simplification Requirements of HIPAA and the Affordable Care Act, and is intended to provide health plans, healthcare clearinghouses, and healthcare providers with a uniform method of sending attachments. The new rule, if implemented, would apply to all entities that currently lack an efficient system for doing so. The absence of HIPAA-adopted standards for healthcare attachments and electronic signatures has resulted in health plans relying on manual processes…

In response to the growing threat of cyberattacks, Massachusetts Governor Charlie Baker has signed an executive order that will help organizations protect their infrastructure. The new Massachusetts Cyber Incident Response Team (MA-CIRT), overseen by the Secretary of the Executive Office of Technology Services and Security (EOTSS), is designed to provide assistance in the prevention, mitigation, and recovery of cyberattacks. Governor Baker noted in a press release that, “State governments and other organizations across the country are increasingly being targeted by bad actors aiming to disrupt operations and compromise information systems.” He added, “As state governments expand their digital footprints, moving…

Earlier this week, CMS actuaries released data as part of the National Health Expenditures (NHE) report. Published annually, the NHE measures total annual spending on healthcare goods and services (e.g., hospital, physician, and prescription drugs), the type of payer (e.g., commercial health insurance, Medicare, and Medicaid), and the type of sponsor (e.g., businesses, households, and federal/state governments). According to the report, US national healthcare spending slowed in 2021, rising 10.3% compared to 2020. Although this was still an increase, it was lower than the 19.7% increase from 2019 to 2020. Healthcare costs continue to be high, with total health expenditures…

On Tuesday, the Department of Health and Human Services (HHS) proposed a rule to expand access to treatments for opioid use disorder. The proposed updates, which have not been updated in over two decades, would address long standing barriers in regulations and allow physicians to utilize telehealth to initiate buprenorphine treatment. Miriam Delphin-Rittmon, Ph.D., leader of the Substance Abuse and Mental Health Services Administration (SAMHSA), noted that the proposed changes could reduce overdose rates. When the COVID-19 pandemic began in March 2020, SAMHSA implemented measures to allow physicians to start substance abuse treatment with buprenorphine through telehealth and provided take-home…

The Telehealth Extension Act has been introduced by the bipartisan members of the House Ways and Means Health Subcommittee, led by U.S. Rep. Lloyd Doggett (D-TX). Cosponsors of the bill include Reps. Devin Nunes (R-CA), Mike Thompson (D-CA), Mike Kelly (R-PA), and David Schweikert (R-AZ). This bill seeks to guarantee permanent access to telehealth services. Several prominent telehealth supporters, such as the National Rural Health Association, the eHealth Initiative, the American Nurses Association, and the American Speech-Language-Hearing Association, have endorsed the bill. This legislation seeks to abolish geographic and site limitations, enabling Medicare beneficiaries to use telehealth services no matter…

On November 3rd 2022, Pennsylvania Governor Tom Wolf signed Senate Bill (‘SB’) 696 to amend the Breach of Personal Information Notification Act of 2005 to broaden the definition of personal information.  Under the new amendments, businesses who experience a breach of the personal information they manage are required to notify those affected. However, the type of information that requires a notification can vary from state to state, as well as format, timing, and other conditions. Companies who have clients in many states must keep track of and adhere to a multitude of varying requirements. Additionally, notifications issued by breached businesses…

The Federal Trade Commission (FTC) recently received feedback from the College of Healthcare Information Management Executives (CHIME) regarding its Advance Notice of Proposed Rulemaking (ANPR) on the Trade Regulation Rule on Commercial Surveillance and Data Security. In this feedback, CHIME encouraged the FTC to hold health apps and data brokers accountable for criminal disclosures of health data and deceptive or misleading data practices. On August 22, 2022, the ANPR was released in the Federal Register, asking stakeholders in the healthcare sector whether the FTC should introduce innovative trade regulation rules or other regulatory alternatives concerning the ways in which companies…

On October 13, 2022, Xavier Becerra, Secretary of Health and Human Services, extended the COVID-19 Public Health Emergency (PHE) for a record-breaking eleventh time. The COVID-19 PHE was first announced in January 2020 by Alex Azar II, the HHS Secretary at the time. Becerra granted the prior extension to July 15, 2022. The COVID-19 PHE’s most recent extension is for an additional 90 days; the new date is January 11, 2023. In response to the COVID-19 PHE, a number of flexibilities were introduced, including modifications to Medicare to increase coverage of telehealth services during the COVID-19 pandemic. Medicare beneficiaries from…

The state of California has improved safeguards for those seeking birth control and abortion services. California Governor Gavin Newson, has signed a package of bills that forbid healthcare providers from disclosing patients’ medical information in response to subpoenas and requests form outside the state. The bill comes following the United States Supreme Court’s decision to overturn Dobbs v. Jackson Women’s Health Organization which removed women’s federal right to obtain an abortion, leaving the decsion up to the individual state. Several states had trigger laws in place whereby, in the event of the overruling of Dobbs v. Jackson, abortion would be…

As of October 6th, 2022, all HIPAA-regulated healthcare providers will be required to achieve full compliance with the information blocking requirements of the 21st Century Cures Act. Following October 6th, the Department of Health and Human Services (HHS) will be responsible for imposing financial penalties to healthcare providers who fail to facilitate patient’s access to their health information.  The new information blocking requirements have been introduced by legislatures to improve patient access to their medical records. Information blocking is defined as any practice by an entity that is likely to interfere with the access, exchange, or use of electronic health…

The United States Food and Drug Administration (FDA) user fee authorization bill that was approved by the House of Representatives in early June contained new provisions demanding medical device manufacturers to label all devices with a software bill of materials, to adequately monitor for and rectify postmarket cybersecurity flaws in their devices, and ensure all devices are able to receive updates to ensure cybersecurity for the entirety of the devices’ lifecycles. By a vote of 392-28, the law was approved. However, the cybersecurity provisions have since been removed. With time running out, the FDA bowed to pressure from Senate republicans…

The United States Government Accountability Office (GAO) has recently called for the Department of Health and Human Services (HHS) to strengthen their oversight and assist medicare telehealth providers to educate patients on Privacy and Security Risks. Due to the nature of the COVID-19 pandemic, Medicare temporarily waived restrictions on telehealth services to help patients access care without risk of exposure. As a result, the number of telehealth visits grew exponentially to over 53 million between April and December 2020. The unprecedented use of telehealth services has raised many concerns regarding the quality of care patients received and the lack of…

Medtronic has become the first company to receive the U.S. Food and Drug Administration’s (FDA) approval for their Onyx Frontier and Resolute Onyx drug-eluting stents used for bifurcation percutaneous coronary intervention. With FDA approval, Medtronic will be able to offer a wide range of medical training and technical assistance to physicians using percutaneous coronary interventions to treat patients with bifurcation lesions. Bifurcation lesions occur when plaque accumulates at the meeting point of two coronary arteries. As a result of the structural changes in the arteries and the difficulty in obtaining access to the side branches, the lesions are often regarded…

United States House Republicans have introduced a bill to ensure pharmacists can refuse patients’ requests for abortion medicines if they oppose. The Pharmacist Conscience Protection Act, which was proposed on Wednesday, forbids the federal government from punishing pharmacists who object on moral or religious grounds to prescribing medications that might result in an abortion. The bill comes following the Department of Health and Human Services’ (HHS) guidance which states that pharmacists who refuse to provide prescriptions for abortions could be in violation of several civil rights laws.  The HHS argued that in accordance with federal civil rights rules, pharmacists are…

The United States Department of Health and Human Services’ Director Xavier Becerra has formally sworn in Melanie Fontes Rainer as Director of the Office for Civil Rights (OCR). As of Wednesday, September 12, 2022, Fontes Rainer will lead the OCR in its duties to enforce federal civil rights, conscience protections, and the Health Insurance Portability and Accountability Act’s (HIPAA) Rules, which protect Americans’ fundamental civil rights and medical privacy.  Melanie Fontes Rainer has been officially sworn in as the Director of the Office for Civil Rights by Xavier Becerra, Director of the United States’ Department of Health and Human Services…

Following the United States’ Supreme Court’s ruling to overturn Roe v. Wade and Dobbs v. Jackson Women’s Health Organization, 30 groups have written a letter to the Department of Health and Human Services’ Secretary Xavier Becerra requesting an update to the Health Insurance Portability and Accountability Act to ensure the privacy of patients’ reproductive health data. As a result of the Supreme Court’s decision, numerous states either outlawed abortion for their citizens or imposed limitations, and some have even started looking into and punishing women who obtain abortion services.  The senators, under the leadership of Patty Murray, chair of the…

The U.S.’s Department of Homeland Security (DHS) has released a final rule, which will be released in the Federal Register, that clarifies and uniformly applies DHS’s management of the public charge basis of inadmissibility for non-citizens. The rule amends actions that the Trump Administration made to identify supplemental public health benefits like Medicaid and nutritional assistance as part of the public charge inadmissibility determination and corrects the historical understanding of a “public charge” that had been recognized for previous decades. According to the DHS’s press release, the rule is a reflection of the Biden Administration’s commitment to restore faith in…

A bill has been approved by the California legislature that forbids businesses operating in the state of California from providing access to information on those pursuing or performing abortions to other states who require the information through warrants. The bill is an attempt made by the California legislature to protect women’s privacy following the U.S. Supreme Court’s decision to overturn Roe v Wade. Following the Supreme Court’s decision, women’s federal right to an abortion has been left been left to individual states to choose whether abortion is legal. Several republican states had trigger laws in place to immediately prohibited abortions in…

Abbott’s new spinal cord stimulation system has been approved by the U.S. Food and Drug Administration. In an press release on August 23, 2022, the medical technology manufacturer announced that their Proclaim Plus cord stimulation system will be available to provide physicians the opportunity to treat multi-site and evolving pain. Abbott is a global leader in healthcare that works to improve quality of life for people at all phases of life. The company works to provide life-changing technologies in various areas of healthcare including medical equipment, nutritionals, and generic medicines.  According to Abbot, over 50 million Americans suffer from chronic…

A letter has been sent by Angus S. King Jr. (I-ME) and Congressman Mike Gallagher (R-WI), Co-Chairs of the Cyberspace Solarium Commission to the Department of Health and Human Services’ Secretary Xavier Beccerra expressing concerns regarding the public health sector’s cybersecurity. In the letter, the lawmakers emphasize the significant rise in cyberattacks aimed at the healthcare industry, call for more concerted effort to confront the growing danger, and request the government for an urgent update on the issue.  King and Gallagher detail how the COVID-19 pandemic exposed several systemic issues within the healthcare sector, particularly the shortage of resources. However,…

Medtronic has announced a recall of its Cobalt and Crome implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators. A report issued by the Food and Drug Administration labeled the recall in the Class I after the report found that the devices may only deliver approximately 79 percent of the intended energy of the shock during high-voltage treatment. The recall includes more than 20,000 units.  The recall comes after healthcare professionals in Europe received an urgent field safety notification from Medtronic last month regarding the same issue with the same product codes. The notification stated that the effectiveness of the defibrillator…

A long-waited bill worth $740 billion to reduce the price of prescription medications and health insurance has officially been approved by the Senate. The legislation comes as a new form of the Build Back Better Act, which passed through the House of Representatives in November. However, the previous Act was far greater, amounting to $2.2 trillion. The Act may have been too optimistic as the Act did not pass through the Senate. The Act underwent a rebrand and reduction which warranted enough support from Senators to pass the law through the upper chamber of Congress. On August 7, the Biden…

A letter has been sent to the Federal Trade Commision (FTC) by Senator Josh Hawley requesting an investigation into Amazon’s plans to purchase primary care company organization One Medical. The letter comes as a result of concerns regarding patient health information privacy and security concerns.  On July 21, it was announced that Amazon had settled a deal to purchase 1Life Healthcare, which provides primary treatment via One Medical. In the letter, Senator Hawley recognizes the FTC’s efforts to counteract America’s growing economic oligopoly and the influence of tech giants. However, he maintains that the One Medical acquisition requires particular attention….

The Department of Health and Human Services (HHS) and the US Department of Justice (DOJ) has issued a new guidance for healthcare providers to help prevent telehealth discrimination. The new guidance marks the 32nd anniversary of the Americans with Disabilities Act, where the US government seeks to address several federal nondiscrimination laws such as the ADA Section 504 of the Rehabilitation Act of 1973, Title VI of the Civil Rights Act of 1964, and Section 1557 of the Patient Protection and Affordable Care Act along with several steps healthcare providers can take to prohibit discrimination and protect access to health…

The FDA has granted 501(k) clearance to BodyPort for its cardiovascular monitor that tracks patients with fluid management related heart conditions such as kidney disease and heart failure. According to the CDC, over 6 million adults in the US suffer from heart failure, resulting in over 12 million clinical visits and approximately 1.2 million hospitalizations annually. 90% of these hospitalizations are said to be the result of hemodynamic changes causing fluid accumulation. Typically, weight gain is the standard for non-invasive detection of fluid changes. However, Bodyport has developed a scale to measure fluid changes alternatively. To use the device, individuals…

The Food and Drug Administration has awarded 501k clearance to Verily and iRhythm Technologies for the new cardiac arrhythmia feature on their Zio Watch. The approval comes as wearables continue to become an integral part of healthcare treatment. Wearables can be used to contact others, for navigation, and perhaps most importantly, monitor a user’s health. Google has recognized the potential wearables have to help individuals and encouraged their sister company Verily and iRhythm Technologies to design a wearable capable of competing in the wearables market.  The company created the Zio Watch. The new device works in collaboration with Zio ECG…

Medtronic has recently announced that their spine analyzing planning platform has received FDA 501k clearance. The healthcare technology global leader reported the news on July 14 2022. The UNiD Spine Analyzer v4.0 planning platform includes an artificial intelligence powered algorithm called the Degen Algorithm which helps surgeons to design and personalize procedures for individuals undergoing lower lumbar spine surgery and anticipates spinal compensatory processes 6 months following surgery. In addition, the planning platform will include advancements in predicting spinal alterations in both children and adults.  Degenerative spine disease is a common age-related condition that results in disabilities for individuals all…

The U.S. Food and Drug Administration has given 501k clearance to Apple for a new smart watch feature. The clearance comes as wearables continue to be integrated into healthcare provision. Today, wearables can help measure data related to temperature, blood pressure, blood oxygen, breathing rate, physical movement, and the electrical activity of several organs. Apple has utilized this technology to design a feature which is capable of detecting signs of atrial fibrillation (AFib) in its user.  The Food and Drug Administration approved the Apple Watch as a viable tool for detecting irregular heart rhythms in 2018. Although the Watch’s electrocardiogram…

In response to the Supreme Court’s recent decision to overturn Roe v Wade, a coalition of Texas Democrats have written to the White House, proposing strategies to ensure medication-enabled abortions are still available. This ruling has caused abortion restrictions to come into effect in Texas and other states, resulting in abortion being illegal in Texas and individuals needing to travel to other states to receive abortion care. The letter from the Texas Democrats and abortion rights organizations highlighted the financial and transportation difficulties this would cause for many, and asked the Biden administration for their support. The White House has…

An executive order has been released by President Biden to address patient privacy protection concerns and to emphasize the significance of access to abortion in response to the Supreme Corut’s decision to overturn Roe v. Wade.  “Eliminating the right recognized in Roe has already had and will continue to have devastating implications for women’s health and public health more broadly. Access to reproductive healthcare services is now threatened for millions of Americans, and especially for those who live in States that are banning or severely restricting abortion care.” The “Executive Order on Protecting Access to Reproductive Healthcare Services” details how…

United States Senators Catherine Cortez Masto and Michael Bennet have written to the Department of Health and Human Services’ Secretary, Xavier Becerra, (HHS) requesting an update of the Health Insurance Portability and Accountability Act (HIPAA) to improve reproductive rights protection. The letter comes as major concerns have been raised regarding data and privacy concerns following the Supreme Court’s decision to overturn Roe v. Wade.  “Last week, the Supreme Court upended almost 50 years of legal precedent in its decision to overturn Roe v. Wade. The decision has created profound uncertainty for patients concerning their right to privacy when making the…

The Canadian federal government is seeking to strengthen their privacy legislation with the introduction of new laws to the House of Commons. The developments to privacy law were introduced in the form of Bill C-27, a renovation of the previously proposed Bill C-11. The objective of Bill C-11 was to repeal the Personal Information Protection and Electronic Documents Act (PIPEDA), the current federal private sector privacy law and replace them with a new legislative framework for data and privacy. However, Bill C-11 was unsuccessful and never made it into law.  Bill C-27 is another attempt to introduce more stringent privacy…

Since 2014, there has been a dramatic increase in the utilization of telemedicine, resulting in the advancement of telemedicine technologies and new challenges to the safety of patients. The rapid expansion of telemedicine generated by the public health emergency of the COVID-19 pandemic  has caused concerns regarding fraud and abuse and access inequity. To address these concerns, the FSMB appointed a workgroup tasked with establishing an updated policy regarding telemedicine. The workgroup created the new policy by addressing the challenges and evolving use of telemedicine, analyzing the effect of waiving licensing requirements and practice across state lines, reviewing current state…

During the COVID-19 pandemic, all U.S. 50 states were granted emergency authority to waive components of their state licensing requirements.  Under these waivers, states could allow temporary visits from out of state physicians to provide services. However, as the Covid-19 pandemic winds down, waivers allowing for cross-state telehealth are expiring. Hospitals with large amounts of COVID-19 cases were put under immense pressure and had their resources stretched thin. Under the pandemic waivers, overwhelmed hospitals were permitted to request help from physicians in other states to provide care via telehealth. The result of these waivers were extremely advantageous. Particularly to patients…

Following the Supreme Court’s decision to overrule Roe v. Wade, U.S. Department of Health and Human Services’ (HHS) Secretary Xavier Becerra has recently urged HHS agencies to take action to protect women’s access to sexual and reproductive health care, which includes abortion, pregnancy complications, and other related care. The decision made by the Supreme Court to overrule Roe v. Wade has removed women’s rights to safe and legal abortions, leaving the decision for the individual states to determine women’s reproductive rights. 13 states have trigger laws embedded in Roe v. Wade that will outlaw abortions once overturned. The HHS’ Office…

The Connected Health Initiative (CHI), a coalition composed of a wide range of stakeholders ranging from physician and patient groups to pharmaceutical and software companies and research universities, recently sent a letter to agencies such as the Food and Drug Administration, Centers for Medicare and Medicaid Services (CMS), and others in order to further mobile health innovation, while safeguarding confidentiality. The CHI steering committee consists of Boston Children’s Hospital, HIMSS, Apple, and UnitedHealth Group. In its letter, CHI expressed their support for mobile health innovation and advocated for the Medicare hospital inpatient prospective payment system (IPPS) proposed changes from CMS….

San Diego Family Care, a medical, dental, & mental health services provider in California, has opted to settle a class-action lawsuit filed by patients affected by a 2020 data breach. The data breach that prompted the lawsuit was announced by the healthcare services provider in May 2021. The breach report submitted to the HHS’ Office for Civil Rights (OCR) stated that 125,500 patients were impacted, though the total was afterward adjusted to 154,513 patients. The breached data included names, dates of birth, government ID numbers, Social Security numbers, medical diagnosis or treatment details, health insurance data, financial account numbers, and…

BD has published security alerts regarding two vulnerabilities that impact certain BD Pyxis automatic medication dispensing system products and the BD Synapsys microbiology informatics software program. BD Pyxis – CVE-2022-22767 As per BD, a number of BD Pyxis products were installed using default credentials and could still run using those credentials. In certain situations, the affected products could have been put in having the same default local operating system credentials or domain-joined server(s) credentials that might be shared among product types. Should a threat actor exploit the vulnerability, it is possible to acquire privileged access to the root file system,…

On July 1, 2022, revised data breach notification laws (HB 1351) will be in force in Indiana that necessitates the issuance of notifications 45 days from the time of discovering a breach that affected the personally identifiable information (PII) of Indiana citizens. Presently, the data breach notification conditions are for notifications to be given with no unreasonable delay. The revision has been made to make sure that those whose PII was exposed are given immediate notification. When PII is compromised, individual notifications ought to still be given without unreasonable delay. A reasonable delay is whenever one of these situations applies:…

Newman Regional Health (NRH), which runs a 25-bed critical access hospital situated in Emporia, KS, has of late commenced notifying 52,224 people that unauthorized folks have obtained access to a few employee email accounts comprising protected health information (PHI). NRH noted on its web page that unauthorized persons had seen a number of employee email accounts in a period of 10 months in 2021 from January 26, 2021 to November 23, 2021. After identification of the data breach, prompt measures were done to secure the email accounts. NRH began an investigation to determine the magnitude and nature of the breach….

The law agency BakerHostetler has publicized its 8th Annual Data Security Incident Response (DSIR) Report, which gives information based upon 1,270 data security incidents handled by the agency in 2021. 23% of those occurrences involved data security incidents at healthcare companies, which was the most attacked industry. Ransomware Attacks Grew in 2021 Ransomware attacks have continued happening at heightened levels. 37% of all data security occurrences dealt with by the company in 2021 were ransomware attacks in comparison to 27% in 2020. Attacks on healthcare institutions grew significantly year over year. 35% of healthcare security breaches addressed by BakerHostetler in…

Two bipartisan senators have presented the Protecting and Transforming Cyber Health Care (PATCH) Act which seeks to increase the security of medical devices. Vulnerabilities are usually discovered in medical devices that can likely be taken advantage of by threat actors to alter the operation of the devices, render them unuseable, or utilize the devices as a channel for more extensive attacks on healthcare sites. During the pandemic, there was a surge of cyberattacks on healthcare institutions, and medical devices, and the systems to which they hook up were affected by ransomware attacks. These attacks have hurt hospitals, patients, and the…

The state Senators of Alabama, Kentucky, New Hampshire, and Pennsylvania have all discussed or adopted regulations for telehealth services. For example, Alabama’s approved bill mandates that a doctor delivering telehealth medical treatment must be as attentive, thorough, and careful as if rendering the service in person. This means that patients can access remote care without first having met the provider. However, if a patient requires more than four virtual care appointments for the same issue without it being solved, then the doctor must make an in-person visit within a year. This bill has now been sent to the Alabama House…

A new bipartisan bill was introduced to the US House of Representatives on Thursday. It allows employers to offer standalone telehealth programs in addition to traditional medical health plans. The bill, called the Telehealth Benefit Expansion for Workers Act, would classify telehealth as an excepted benefit and amend the Health Insurance Portability and Accountability Act and the Affordable Care Act so that all employees, including part-time and seasonal workers, can receive the benefit. Rep. Suzan DelBene (D-WA) recently proposed the Telehealth Benefit Expansion for Workers Act. The bill aims to make telehealth services more accessible to workers by allowing employers…

The U.S. Department of Justice (DOJ) has announced the settlement reached with the healthcare services provider, Comprehensive Health Services (CHS) based in Cape Canaveral, FL to resolve alleged False Claims Act violations. This is the first settlement reported under the DOJ Civil Cyber Fraud Initiative, which was introduced in 2021. The Civil Cyber Fraud Initiative was started to pursue cases against government contractors that knowingly utilized lacking cybersecurity tools and services which put information systems at risk, and failures to send notifications of cybersecurity incidents. CHS together with its subsidiaries had agreements with the U.S. Air Force and the U.S….

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was introduced to require the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent. However, after 2 decades, the health sector has changed significantly. Health information is now being collected, shared, and sold by tech companies. The HIPAA Privacy and Security Rules created rules to guarantee the privacy and security of health data, however HIPAA only applies to HIPAA-covered entities. As a result, HIPAA is due a number of updates to address its vulnerabilities. The Department of Health and Human Services (HHS)…

Over 125 organizations are calling on Congress to reinstate a provision that would permit employers and health plans to offer pre-deductible coverage for telehealth services for those with high-deductible health plans and Health Savings Accounts (HDHP-HSAs).  Last week, the Alliance for Connected Care convened a letter to Congressional leaders, signed by a mix of organizations including the American Telemedicine Association, America’s Health Insurance Plans, AMGA, LifePoint Health, CVS Health, and Teladoc Health. The letter urged the leaders to reinstate the telehealth safe harbor flexibility enacted in the CARES Act; the flexibility had expired on December 31st, but with the Omicron…

The COVID-19 pandemic saw a dramatic rise in the use of telehealth services, however a new report has highlighted the restrictive telehealth laws of states that have been most affected by the virus. These states include New York, California, Connecticut, Massachusetts, Washington, and New Jersey, which have distinct limitations placed on virtual care services that cross state lines. For instance, these states are not part of any interstate licensing compacts, which would otherwise allow providers from different states to practice with a license from their home state, provided they are in good standing. The report, created by Reason Foundation, Cicero…

Although the changes to HIPAA regulations in 2021 were not much, new laws were introduced that are associated with the HIPAA Privacy and Security Rules, with regards to cybersecurity, patient access to medical information, and HIPAA enforcement. 2021 HIPAA Safe Harbor Law President Trump signed the HIPAA Safe Harbor Bill (HR 7898) on January 5, 2021 and changed the HITECH Act. The goal of the HIPAA Safe Harbor Bill was to inspire healthcare institutions to follow standard cybersecurity procedures to enhance their protection against cyberattacks. The HIPAA Safe Harbor Bill teaches the HHS to consider the cybersecurity guidelines that a…

The accountancy company Bansley and Kiener LLP located in Chicago, IL has reported that it experienced a ransomware attack in December 2020 that permitted the encryption of certain files inside its network. The attack merely brought about brief interruption, and all encrypted systems can be recovered using backup copies and immediately go back to usual operations. The attack took place on December 10, 2020, and the succeeding investigation into the occurrence didn’t get any proof of data theft and affirmed that the attack was completely secured. Nonetheless, Bansley and Kiener stated in a December 3, 2021 breach notification letter that…

A class-action lawsuit has been filed against San Juan Regional Medical Center located in Farmington, New Mexico over a reported data breach in June 2021. Based on the breach investigation, an unauthorized person acquired access to its system and exfiltrated files that contain sensitive patient information from September 7, 2020, to September 8, 2020. The data breach report was at first submitted to the HHS’ Office for Civil Rights as impacting 500 people, with San Juan Regional Medical Center stating back then that no less than 500 people were impacted. When the total number of people impacted by a security…

The HHS’ Office for Civil Rights (OCR) is moving forward with its enforcement of the HIPAA Right of Access compliance and has reported 5 more financial penalties. The HIPAA Right of Access enforcement project was started in the autumn of 2019 as a reaction to a considerable number of grievances from patients who didn’t get prompt access to their medical data. The HIPAA Privacy Rule calls for covered entities to give patients access to their health documents. A copy of the health data needs to be delivered within 30 days after the request is made, though a 30-days extension could…

The hacker responsible for getting access to the University of Pittsburgh Medical Center (UPMC) databases and stole the W-2 details and personally identifiable information (PII) of roughly 65,000 UPMC workers has been given the maximum sentence for the offenses and will be in jail for 7 years. Sean Johnson, a resident of Detroit, Michigan, also known as TheDearthStar and Dearthy Star – hacked into the UPMC databases in 2013 and 2014 and took highly sensitive data. Then he sold the stolen data on dark web hacking forums. Identity thieves used the information to file fake tax returns in the names…

A lawsuit was filed in the U.S. District Court in Minnesota by 180 healthcare employees concerning the COVID-19 vaccine mandates of their company owners. The plaintiffs, who were anonymous in the lawsuit, assert vaccine mandates violate religious freedom and state and federal legislation. The legal case is one of the cases that challenge the legitimacy of this kind of mandate. Vaccines continue to be the most efficient way to avoid the passing on of COVID-19, keep persons from becoming very ill, and lessen the number of people who need to be hospitalized due to the illness. The vaccines are risk-free…

Gavin Newsom, Governor of California, has issued an Executive Order (N-16-21) that allows physicians to provide routine and non-emergency telehealth services without the worry of being sanctioned for inadvertently releasing patient data. This Order extends a similar one that was put in place in April of 2020 during the peak of the pandemic. It was designed to help clinicians extend their telehealth services, allowing patients to receive care with less risk of COVID-19 transmission. This Order gives healthcare providers protection from HIPAA violations for offering telehealth services in good faith. The original order for the use of telehealth was set…

Healthcare companies that need to comply with the California Consumer Privacy Act (CCPA) are having difficulties getting compliance, as per a new study shared in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543 The CCPA was made into law on June 28, 2018 and enforced on January 1, 2020. The purpose of the CCPA was to offer California locals more control over their personal records and how their usage. The CCPA provided the residents of California the right to get information with regards to their personal information that will be collected, whether their records may be sold or exposed, to…

St. Joseph’s/Candler Hospital Health System is facing a class-action lawsuit because of a ransomware attack that took place on June 17, 2021. Because of the attack, files were encrypted, which forced the hospital to take its IT systems off the internet. The hackers accessed the systems containing the protected health information (PHI) of 1.4 million individuals, such as names, driver license numbers, Social Security numbers, medical insurance data, healthcare information, and financial details. St. Joseph’s/Candler provided impacted patients with an Experian IdentityWorks credit monitoring and identity theft protection service membership for one year. The ransomware attack investigation results confirmed that…

On August 21, 1996, that is 25 years ago, President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. Not many people then would have thought that the HIPAA would develop into the all-inclusive national health privacy legislation that it is nowadays. It is hard to dispute that the HIPAA isn’t a total success, however, the legislation has drawn a reasonable number of criticism through the years, particularly at first because of the substantial administrative burden it put on healthcare companies. Overall, the enhancements to medical care that have resulted from HIPAA compliance more than offset the…

A2Z Diagnostics, a specialist diagnostic screening laboratory in New Jersey, started informing patients about the inclusion of some of their protected health information (PHI) in employee email accounts that were accessed by unauthorized individuals. Upon knowing about the breach, A2Z quickly protected the email accounts and third-party cybersecurity experts investigated the breach to ascertain if any emails or attachments were viewed or obtained during the attack. A2Z Diagnostics discovered on June 28, 2021 that the breach of accounts took place from February 2, 2021 to April 2, 2021. Some of the accounts comprised the personal information and PHI of persons…

UPMC has suggested a $2.65 million settlement to close a data breach case filed by workers affected by a data breach in February 2014. UPMC based in Pittsburg, PA submitted a report about the data breach in February 2021 and initially thought the attackers had just taken the tax-data of several hundred of its staff; but, in April 2014, UPMC stated that the breach was much more extensive and impacted 27,000 of its 66,000 workers. In May 2014, UPMC reported that the personal data of all of its workers had probably been breached. The information impacted in the attack included…

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has published a new resource that discusses bad practices in cybersecurity, which are particularly damaging and significantly increase the risk to critical infrastructure. A lot of resources had been published regarding cybersecurity best practices, which if implemented can strengthen security. Even so, CISA thinks another point of view was needed as it is in the same way, if not more, vital to ensure the removal of bad cybersecurity practices. CISA mentioned that stopping the most egregious risks demands that companies should make a decisive effort to stop bad practices. CISA is advocating…

In September 2020, The University Of Nebraska Medical Center And Nebraska Medicine learned that their systems were attacked and infected with malware giving the hackers access to the protected health information (PHI) of around 219,000 persons. The attack pushed Nebraska Medicine to turn off its systems interrupting operations. The attackers primarily obtained access to Nebraska Medicine’s networks on Aug 27, 2020 and for 24 days viewed its systems and patient data. Nebraska Medicine blocked access on Sept. 20, 2020. During that time frame, the lawsuit alleged the hackers exfiltrated patient information. The breach affected patients of Nebraska Medicine, Great Plains…

The number of healthcare providers to claim they were affected by the Accellion ransomware attack is growing, with two of the newest victims such as Trillium Community Health Plan and Arizona Complete Health. In the later part of December, unauthorized persons took advantage of zero-day vulnerabilities in Accellion’s obsolete File Transfer Appliance platform and stole files of its clients prior to implementing CLOP ransomware. Trillium Community Health Plan lately informed 50,000 of its members that protected health information (PHI) including names, birth dates, addresses, medical insurance ID numbers, and diagnosis and treatment information was acquired by the folks associated with…

US Fertility is confronted with a class-action lawsuit in connection with a ransomware attack in September 2020, where the resulting data breach impacted 878,550 people. US Fertility offers IT systems and administrative, clinical, and business data services. It is one of the biggest vendors of support services to infertility clinics in America. On September 14, 2020, US Fertility identified ransomware that encrypted files on its systems. The investigation showed that the threat actors responsible for the attack copied files from August 12 to September 14, 2020, a few of which included protected health information (PHI). The types of information acquired…

The Delaware Superior Court dismissed a legal case filed on behalf of affected persons of a Brandywine Urology Consultants data breach after plaintiffs were unable to produce information proving they had sustained harm because of the breach. Brandywine Urology Consultants suffered a ransomware attack on January 27, 2020 The attack was discovered after two days and the following investigation established the attackers acquired access to a system that included patient data. Brandywine Urology Consultants determined from its inquiry that the cyber attack was done for extortion and not just to acquire patient records, though unauthorized data access and data theft…

The Department of Health and Human Services’ Office for Civil Rights has released its 2016-2017 HIPAA Audits Industry Report, showing areas where HIPAA-covered entities and their business associates are complying or fails to follow the conditions of the Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act mandates the HHS to perform routine audits of HIPAA covered entities and business associates to evaluate HIPAA Policies compliance. Between 2016 and 2017, the HHS carried out its second level of compliance reviews on 166 covered entities and 41 business associates to check compliance with…

Twitter is going to pay a €450,000 ($544,600) penalty for breaking the EU’s General Data Protection Regulation (GDPR). The Ireland Data Protection Commission (DPC) issued the penalty because of the privacy breach report Twitter submitted to the DPC last January 8, 2019. After receiving a breach notification report from Twitter International Company, DPC launched an investigation on January 22, 2019 to find out if Twitter is GDPR compliant. On December 26, 2018, a researcher informed Twitter regarding a problem. Twitter gives its users the choice to send protected Tweets or not. Only a particular group of people or followers can…

Mayo Clinic is confronted with multiple class-action lawsuits because of an insider data breach in October 2020. Mayo Clinic learned an ex-worker obtained access to the health data of 1,600 patients with no authorization and viewed details that include patient names, demographic data, dates of birth, clinical notes, medical record numbers, and medical images. As per the Health Insurance Portability and Accountability Act (HIPAA), all HIPAA-covered entities need to employ safety measures to secure the confidentiality, integrity, and privacy of protected health information (PHI) and controls data disclosures and uses if patient permission is not acquired. Healthcare staff are granted…

On November 20, 2020, the Office of Inspector General (OIG) and the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) launched the final rules for enhancing the coordination of health care and lessen regulatory difficulties. The two final rules consist of safe harbor conditions that permit hospitals and healthcare delivery systems to provide cybersecurity technology to physician practices. The CMS launched the final copy of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, generally known as Stark Law, and the OIG finalized updates to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary…

The due date for compliance with the required information blocking and health IT certification of the 21st Century Cures Act was prolonged as a result of the current coronavirus pandemic. The US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) published on October 29, 2020 the launch of an interim final rule with the time period for giving comments lengthened the compliance dates and time periods for getting particular information blocking and Conditions and Maintenance of Certification (CoC/MoC) standards. The ONC’s Cures Act Final Rule unveiled on March 9, 2020 outlined exclusions…

Montefiore Medical Center in Bronx, NY has dismissed a staff because of the claimed theft of the protected health information PHI of roughly 4,000 patients. Montefiore knew about the probable internal data breach in July 2020 and started an investigation into unauthorized health record access. Montefiore had put in place a technology solution that monitors EHRs for unauthorized access. Therefore, the personnel was determined. The investigation affirmed that the personnel had gotten access to healthcare records with no valid work reason between January 2018 and July 2020. Accessing the medical records of patients though there isn’t a valid reason for…

A new study that JAMA published revealed that nearly all websites providing COVID-19 information include third-party tracking code that presents a risk to privacy. With the tracking code, the web pages could collect information from website visitors and transmit that data to third parties. The transferred data usually includes the URLs visited by a user and his/her IP address. Other data could also be obtained, and that information enables the creation of detailed profiles on the browsing habits and interests of people. Because IP addresses are gathered, that data can quickly be linked with a particular individual. The Carnegie Mellon…

A bill (SB-980) that confirms the Genetic Information Privacy Act has been approved by the California Senate. Currently, California Governor Gavin Newsom simply needs to sign the bill. The Genetic Information Privacy Act will bring in new requirements for businesses providing direct-to-customer genetic tests to safeguard consumer privacy and protect personal and genetic data. Presently, direct-to-client genetic testing services are mostly not regulated. There is the worry that the tactics of organizations that provide these services can possibly expose sensitive genetic information and that external parties can exploit the utilize of genetic information for sketchy purposes, for example, mass surveillance,…