Security, Privacy and Information Governance


Business Associate Exposes Protected Health Information of 19,000 Patients


An error made by a transcription service provider during a software upgrade on Orlando Orthopaedic Center (OOC)’s server in December 2017 has resulted in the exposure of more than 19,000 patients’ protected health information (PHI). PHI stored on OOC’s server from December 2017 until February 2018 – when the breach was finally discovered – was freely exposed over the internet without any authentication. Upon full investigation, patients’ names, social security numbers, dates of birth, insurance information, employer details, and treatment types were deemed accessible.

Continue reading

Continued Special Privacy Treatment for Substance Use Disorder Information


The Senate Health, Education, Labor and Pensions Committee recently passed the Opioid Crisis Response Act of 2018 (OCRA) – a bipartisan package of more than 40 proposals designed to help families and entire communities affected by the nation-wide opioid crisis.

Continue reading

OCR’s Guidance on HIPAA-Permissible Information Sharing During Patient Opioid Crisis


In response to President Trump’s call to action on opioids, acting Department of Health and Human Services (HHS) Secretary Eric D. Hargan declared the opioid crisis a national public health emergency on October 26, 2017.  The next day, HHS-Office for Civil Rights (OCR) released new guidance on when and how health care providers can share a patient’s health information with the patient’s family and close friends during certain crisis situations, such as opioid overdoses, without violating the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.

HIPAA prohibits health care providers from sharing protected health information about patients who have capacity to make their own health care decisions and object to information sharing, unless there is a serious and imminent threat of harm or safety.  However, health care professionals may disclose some health information without a patient’s permission under certain circumstances, including:

  • Sharing health information with family, close friends, or any other person identified by the patient, and involved in caring for the patient if the provider determines that doing so is in the incapacitated or unconscious patient’s best interests and the information is directly related to the family or friend’s involvement in the patient’s health care or payment for care. The provider may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest.
  • Informing persons in a position to prevent or lessen a serious or imminent threat to the patient’s health or safety.

Continue reading

New FDA Guidance on Waiver of Informed Consent for Minimal Risk Investigations


The FDA recently issued new guidance that allows institutional review boards (IRBs) to waive or alter the FDA’s informed consent requirements for certain minimal risk clinical investigations without objection from the FDA.

The statutory basis for the guidance comes from amendments made by the 21st Century Cures Act from late in 2016 (P.L 144-255). This guidance, which took effect on July 25, 2017, is the first step for the FDA on this issue.  The FDA intends to implement subsequent regulations to permit IRB waiver or alterations of informed consent requirements for minimal risk clinical investigations.

Continue reading

Disrupting the Health Care Cybersecurity Model (or Lack Thereof): Health Care Industry Cybersecurity Task Force Calls Out Regulatory Barriers


In a previous blog post, our team evaluated the draft recommendations prepared by the Health Care Industry Cybersecurity Task Force in its “Report on Improving Cybersecurity in the Health Care Industry.”  

We recently examined three of the six major recommendations in the report and their potential impact on the existing health care regulatory environment. These include:

  • HHS and a Comprehensive Health Care Security Framework
  • Government and Private Incentives to Migrate Vulnerable Health Care Providers to More Secure Environments
  • Development of Fraud and Abuse Exemptions to Foster Collaboration and Permit Shared Resources

For more insight, read our detailed review of the health care security recommendations above.

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy