A with Reece Hirsch of Morgan Lewis Late last year, the U.S. Department of Health and Human Services (HHS) released voluntary cybersecurity standards that help bring the HIPAA Security Rule into focus and up to date with current cyber threats. The new guidance could also have implications for the way “reasonable standards” are legally defined…

A Q&A with Paul Otto of Hogan Lovells Given recent events such as the 2017 WannaCry ransomware attack that affected more than 200,000 computers across 150 countries, concerns about data privacy and medical devices have come to the fore with increased scrutiny from regulators. To understand the risks medical devices pose and how companies are…

A Q&A with Antony Kim and John Wolfe of Orrick, Herrington and Sutcliffe The recent HIPAA breach at St. Elizabeth’s Medical Center in Brighton, MA, brought some key issues to light. With the continual outsourcing of healthcare sector computing for ePHI data to external third-party clouds, it’s becoming increasing vital that the covered entity (CE)…

A Q&A with J.T. Malatesta of Maynard Cooper & GaleMedical Informatics Engineering and subsidiary NoMoreClipboard revealed a breach last month affecting up to 3.9 million Americans which has now resulted in a series of class action lawsuits on behalf of victims. The incident is causing headaches for risk managers in the healthcare sector, including their…

A Q&A with Barbara Anthony, Undersecretary of Massachusetts Office of Consumer Affairs and Business Regulation Since 2009, Massachusetts has been releasing reports on the state’s data breaches. In 2013, the state received over 1,800 notifications for breach events that had the potential to impact over 1.2 million residents. I asked Barbara Anthony about the current…

A Q&A with Michael Whitcomb of Loricca
The Department of Health and Human Services’ Office for Civil Rights will resume its HIPAA compliance audit program this fall, focusing on both covered entities and business associates with a limited number of narrowly focused “desk audits” as well as comprehensive onsite audits. I asked Michael Whitcomb, founder and president of the IT security and compliance firm Loricca, Inc., what healthcare organizations need to do in anticipation of this increased scrutiny.

A Q&A with Ronald Raether of Faruki Ireland and Cox P.L.L.
Having written privacy and security policies and procedures in place is critical for organizations in an era when data breaches are an inevitable reality, which is why data security-focused law firm Faruki Ireland & Cox has created policy templates for clients. These templates are now available in the eRisk Hub® and I spoke to attorney Ronald Raether about how they should be used.

A Q&A with Lynn Sessions of Baker Hostetler LLP
Now that the Affordable Care Act (aka Obamacare) is law, states potentially now have cyber public entity liability exposure, due to their role in managing PHI in connection with the healthcare exchanges, the data hubs that will centralize and route private information through government agencies and related businesses. This new model has already led to privacy data breach incidents, well before the act went into effect this past October (see example). To sort through the complications the ACA poses to public entities, I spoke with Lynn Sessions, counsel at Baker Hostetler LLP.

A Q&A with Barbara Bennett
When they were released this past January, the final HITECH regulations amending the HIPAA Security, Privacy, Breach and Enforcement Rules updated those regulations with expansion of the scope of the rules, increased patient protections and more stringent government oversight, including application of the rules to contractors and subcontractors. So what does this mean for healthcare organizations and the service providers that work with them? I asked Barbara Bennett, partner at Hogan Lovells, LLP in Washington, DC to explain the finer points of the final rules.

A Q&A with Lynn Sessions of Baker Hostetler
In enforcing the HIPAA/HITECH regulations, the Department of Health and Human Services’ Office of Civil Rights (OCR) has been coming down on healthcare organizations with recent fines of US $1.7 million, and yet the OCR and its investigations remains an area of mystery for many organizations. I asked Lynn Sessions, counsel at Baker Hostetler in Houston, TX, for some perspective on OCR’s process for ensuring data security and privacy compliance in healthcare.