Cyberattacks on the healthcare industry have reached a fever pitch. In 2020 alone, there was a drastic increase in healthcare organization cybersecurity breaches. In 2021, the average cost of a healthcare data breach increased by over $2 million to $9.23 million. Healthcare providers continue to be the most targeted industry for cybersecurity breaches, with over ninety-three percent of healthcare organizations experiencing a data breach over the past three years. 306 breaches of unsecured protected health information (“PHI”) impacting 500 or more individuals were reported to the U.S. Department of Health and Human Services (“HHS”) in 2020. Yet healthcare organizations continue to be ill-equipped to handle this growing problem.
On November 18th, 2019, Congress introduced the Stop Marketing and Revealing the Wearables and Trackers Consumer Health Data Act, known as the Smartwatch Data Act. The Smartwatch Data Act was introduced by Democratic Senator Jacky Rosen and Republican Senator Bill Cassidy, due to Google’s desire to acquire fitness tracker manufacturer Fitbit in 2020. Since notice of this acquisition, privacy advocates have raised concerns about how Google will use personal health data collected through Fitbit devices. Therefore, this legislation aims to ensure that health data collected through fitness trackers, smartwatches, and health apps, cannot be sold without consumer consent.
On September 9th, 2019, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued its first enforcement action and settlement under its Right of Access Initiative. This came as a reaction to Bayfront Health St. Petersburg (Bayfront) paying $85,000 in fines to OCR. Bayfront adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule after they failed to provide a mother timely access to the records about her unborn child. In response, the OCR Director, Roger Severino, stated “[w]e aim to hold the health care industry accountable for ignoring peoples’ right to access their medical record and those of their kids.”
It happens in every emergency department: a law enforcement officer comes into the ER at two o’clock in the morning and demands to test the blood alcohol levels of a patient brought in after an auto accident. The officer pulls an exhausted nurse to the side in the hopes that the nurse will forget his or her training, or become anxious enough to give up the information for fear of being arrested. Yet no matter the specific facts, the question remains: can a hospital give law enforcement officers a patient’s PHI without authorization from the patient? In some situations, is it even required?
There is a provision under the HIPAA Privacy Rule that allows, and in some cases, requires, entities to disclose patient’s PHI to law enforcement without the patient’s authorization. However, state law can complicate this picture with more restrictive regulations and guidance.
Alexander Thompson Associate Editor Loyola University Chicago School of Law, JD 2018 On February 16, 2017, the HHS Office of Civil Rights Acting Director, Robinsue Frohboese, announced the second largest HIPAA settlement fine ever. At $5.50 million, Memorial Healthcare System’s fine was just behind the $5.55 million given to Advocate Healthcare in 2016. Memorial …
Mary H. Carlson Associate Editor Loyola University Chicago School of Law, JD 2018 Social media has emerged as a preferred platform for the expression of personal opinions, a means of gathering new information, and as an important networking tool. However, health care profs subject themselves to particular dangers health care professionals (HCPs) subject themselves …
Ryan Whitney Managing Editor Loyola University Chicago School of Law, JD 2017 HIPAA breaches occur on a daily basis. Although undesirable, many of these breaches are not serious enough to require patient notification. But others are more egregious and can cause harm to both the patient and the providing entity. This article outlines a …
Christine Bulgozdi Associate Editor Loyola University Chicago School of Law, JD 2018 The Office of Civil Rights (OCR) announced in August that they would be focusing more efforts on investigating breaches of Protected Health Information (PHI) affecting fewer than 500 individuals. Currently, regional offices investigate all breaches affecting more than 500 individuals, but only …