Data is rapidly becoming one of the most valuable assets in the healthcare market, putting digital health companies that collect and process large amounts of personal data at higher risk than many other types of businesses. If you have a healthcare business, then you’ll want to keep reading…
Read MoreDiscover how Privacy compliance impacts Digital Health Startup founders and executives in terms of access to capital and securing key vendor agreements in this webinar replay. You may not have ever looked at Privacy this way before, and we encourage you to explore this perspective so you can close those critical deals without unnecessary delay.
Read MoreHIPAA Critical: Episode 10 | COVID-19’s HIPAA Impact, Increased Risk From Remote Work, Interview with Carrie Nixon
Read MoreHistorically, biometric data – think fingerprint scans to “clock in” and face recognition technology for identifying potential suspects – has been collected by employers, law enforcement, and financial institutions and used for security purposes. As technology evolves and becomes more sophisticated, private companies—including digital health, telemedicine, and RPM companies—are beginning to incorporate biometric data from consumers and patients into their solutions.
Read MoreThe lines between health data and consumer data are increasingly blurred as more technology companies venture into healthcare analytics and data processing. Why does this matter? Because there are state and federal laws protecting healthcare data collected by a person’s insurance company or physician, but for-profit companies that may collect healthcare and other sensitive person data are often not subject to these laws. In addition, healthcare companies subject to state and federal healthcare privacy laws are increasingly leaning on third party technology companies to derive value or insight from the healthcare data they collect in ways that would surprise many consumers.
Read MoreGeneral Data Protection Regulation (GDPR) preparedness should be a priority and we will review the steps you need to take to make sure you’re in compliance. Though the GDPR comes from the European Union, businesses everywhere should apply GDPR principles in practice.
Read MoreNew technologies in healthcare means new risk to the security and privacy of patient health data. Though most healthcare companies and providers are aware of the need for internal data security, many may not be in compliance when sharing information with third parties. As providers and vendors find new and innovative ways to work together, the need for data sharing will only increase. It is critically important that all parties know when and how protected health information (PHI) is shared, and when patient authorization is required to do so.
Read MoreIn October, The Health and Human Services Office for Civil Rights (OCR) shared that future health-care privacy and security audits will shift from an educational focus to an enforcement focus. Previously, OCR performed these audits to educate providers on patient privacy and HIPAA. But now, the priority is enforcement. Instead of relying on complaints and breach notifications, the OCR will be more proactive in identifying problem providers. It’s important for all healthcare provider entities to have a HIPAA compliance plan actively in use. (We can help!)
Read MoreAs all health care providers know, the HIPAA Privacy Rule applies to their practice. But because many providers outsource some of their health care activities and/or functions, the HIPAA Privacy Rule also applies to these “business associates".” It is important that providers have assurances in writing that all business associates are appropriately safeguarding patient information and following all HIPAA provisions. The HHS Office for Civil Rights has issued a new fact sheet that lays out all provisions where the business associate would be held directly liable for HIPAA Rule violations.
Read MoreWe like to find interesting tips and tricks to help our clients improve their health data security. This infographic from Inspired eLearning on "phishing" schemes covers the most common types of phishing attacks, including via email, phone call, text message, or USB baiting. Read on to learn about how these attacks can occur, common statistics, and prevention tips.
Read MoreMany digital health technology companies have customers from multiple, or even all, states accessing their software and services. If these health tech companies have California customers, then starting in January 2020, they may need to abide by the California Consumer Privacy Act.
Read MoreBy building compliance processes into your internal structure, audits can be completed faster and can bring to light information that is beneficial for both your customers and employees. Here are seven tips to prepare for a healthcare compliance audit.
Read MoreOn May 25, 2018, European law officially enforced the General Data Protection Regulation (GDPR). The GDPR was created to protect the personal data of EU citizens. This article examines two GDPR-compliant encryption methods in this article: standard encryption and pseudonymization.
Read MoreNixon Law Group Managing Partner, Carrie Nixon, was interviewed by Randy Wong, M.D. for an episode of the Healthcare's Prescription with Russ & Randy podcast. During the episode, Carrie discusses privacy protections for medical practice websites.
Read MoreThis article discusses how you can lower your risk through email encryption, thereby saving your healthcare practice or organization from an expensive data breach. Email encryption can help your organization protect against the most common form of data breach and better comply with HIPAA standards.
Read MoreBeginning on May 25, 2018, HIPAA won’t be the only healthcare data security standard with which U.S. companies have to comply. Medical practices, digital healthcare companies, and vendors (e.g., electronic health records companies, medical billing companies, and cloud services companies) that do business in the healthcare sector and collect data from European citizens will be required to comply with the new EU General Data Protection Regulation (the “GDPR”). A recent Reuters article called the implementation of these regulations “the biggest overhaul of online privacy since the birth of the internet.”
Read MoreOn January 2, 2018, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a Final Rule, amending 42 C.F.R Part 2 (“Part 2”), creating new changes to the federal rules governing confidentiality and disclosures of patient substance use disorder (“SUD”) records for the first time since 1987. Part 2 protects the confidentiality of SUD records, which are subset of protected health information (PHI). This means that these records are subject to HIPAA, but are also protected by Part 2, which contains additional (and more stringent) federal protections. These overlapping standards can make the storage and disclosure of patient records administratively burdensome for healthcare providers, patients and their families. It is also a challenge for technology companies that store, analyze, and transmit patient records on behalf of providers and patients.
Read MoreEarlier this year, a federally qualified health center, Metro Community Provider Network (“MCPN”) paid a $400,000 HIPAA breach penalty related to a 2011 phishing attack. In this attack, several MCPN employees had their email accounts hacked by a phisher who was able to gain access to about 3,200 individuals’ PHI.
Read MoreHealthcare providers are highly sensitive to the risks introduced by recordings in the workplace—not the least of which are potential violations of federal and state laws regarding the privacy of their patients and residents. We have often advised our healthcare clients to enact restrictions on recordings that could introduce unnecessary risk, but a National Labor Relations Board (NLRB) decision, recently upheld by the U.S. Court of Appeals for the Second Circuit, indicates that those same restrictions on recordings might, in and of themselves, introduce compliance risk. In its decision, the NLRB had to determine whether no-recording policies maintained by employer Whole Foods were overly broad by prohibiting all recordings by Whole Foods employees without prior management approval. The NLRB’s position seems clear: Policies reasonably read as prohibiting all employee workplace recordings violate the National Labor Relations Act.
Read MoreCaitlin Riccobono, Esq., Counsel at Nixon Law Group, develops these routine “Partners Pointers” for the Virginia-based healthcare organization Partners in Healthcare.
Topic: Business Associates of Business Associates
I was asked to address two main questions regarding a Business Associate that is a subcontractor of another Business Associate (we will call this a “Sub-BA”). First, to what extent is a Sub-BA permitted access to PHI? Second, what are the Sub-BA’s obligations with respect to safeguarding PHI?
Read More