By February 16, 2026, HIPAA covered entities receiving substance use disorder (SUD) records from a Part 2 program must revise their Notice of Privacy Practices to comply with a 2024 HHS Final Rule.
Kentucky and Indiana implemented new consumer data privacy laws, the KCDPA and ICDPA, effective January 1, 2026. Both laws impose requirements on businesses handling personal data and grant rights to consumers. Compliance is essential to avoid penalties, and businesses should review the guidance from the respective state Attorney Generals ...
Kentucky's Consumer Data Protection Act (KCDPA), effective January 1, 2026, grants consumers rights over their personal data and mandates compliance for businesses handling such data. Controllers must implement privacy practices, limit data collection, and provide clear privacy notices. Violations may result in enforcement by the Attorney ...
The December 23, 2024 deadline is fast approaching for HIPAA-covered entities to revise their policies and procedures regarding reproductive health. The Office for Civil Rights (OCR) issued a Final Rule that restricts the disclosure of protected health information (PHI) related to lawful reproductive health care, requiring policy amendments ...
On October 16, 2024, the U.S. and International cyber security agencies issued a Joint Cybersecurity Advisory warning of Iranian cyber actors’ brute force and credential access activities that have compromised critical infrastructure organizations. The Advisory provides details on these activities along with mitigation and detection ...
Vendors of personal health records will face new rules for data breach notifications, as clarified by the Federal Trade Commission's Final Rule. The amendments address the increased use of health-related technology and emphasize the importance of notifying individuals and the FTC in case of a breach. The rule expands on definitions, breach ...
On April 4, 2024, Kentucky became the 15th state to enact a comprehensive consumer data privacy law. The Kentucky Consumer Data Protection Act (“KCDPA”) will become effective on January 1, 2026. The KCDPA creates rights for Kentucky consumers and imposes requirements on certain businesses that collect consumer data ...
The U.S. Department of Health and Human Services announced a Final Rule called HIPAA Privacy Rule to Support Reproductive Health Care Privacy, prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. The rule also affects the confidentiality of substance use disorder ...
On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors.
The deadline for notifying the Office of Civil Rights (OCR) of healthcare data breaches affecting fewer than 500 individuals is early this year. Reports of small data breaches may be submitted to OCR annually, usually on March 1st, but because 2024 is a leap year, the reports are due on or before Thursday, February 29th ...
HHS and AHA alert health care sector of software vulnerablity dubbed the "Citrix Bleed" that can be exploited by bad actors to cause damage, including ransomware.
On November 28, 2022, HHS released Proposed Rule to amend Part 2 regulation on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs. The Proposed Rule would align Part 2 with HIPAA's requirements for consent, disclosure, de-identification, unsecured PHI, data breach notification, and other ...
The FTC recently took enforcement action against an online e-commerce company and its CEO for failing to implement data security policies and procedures to protect the personal information of consumers. The FTC alleged that the company’s inadequate security measures and its website Privacy Policy regarding such measures constituted unfair ...
Best practices in IT data security include the use of multi-factor authentication (MFA) but cyber threat actors are evading the data security that MFA is intended to provide. To combat this, CISA recently issued guidance and fact sheets urging the migration to phishing-resistant MFAs such as FIDO/WebAuthn and PKI-based MFA. If this is not feasible ...
CISA issues statement on critical vulnerability in products that contain log4j software library. Bad actors are exploiting the vulnerability to steal information, launch ransomware, or conduct other malicious activity. Ten major tech vendors issue statements that one or more of their products are affected by the log4j vulnerability ...
KRONOS payroll support services notifies customers of ransonware attack. A ransomware attack that compromises employee personal information could trigger data breach notification for employers under state breach notification laws.
By: Margaret Young Levi
On September 15, 2021, the Federal Trade Commission (FTC) issued a Policy Statement cautioning that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule and notify consumers when their health data is breached.
The Health Breach ...
By: Courtney Samford, contributing author Blake Sims, Wyatt Summer Associate
Employers commonly supply computer and work devices to employees and state that the electronics may only be used for business related purposes, and employers have always had the ability to discipline employees who violate computer use policies through improper ...
Congressional Bill H.R. 7898 signed into law on 1/5/2021 amends HIPAA's penalty standard for data breaches by mandating that HHS give favorable consideration to "recognized security practices" that the covered entity or business associate implemented.
FBI, HHS and CISA issue Joint Cybersecurity Advisory warning hospitals and health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital systems for financial gain.
Written by: Kathie McDonald-McClure
On Monday, July 13, 2020, the Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a SAP cybersecurity alert, No. AA20-195A, regarding a critical vulnerability that an unauthenticated attacker could exploit through the Hypertext Transfer Protocol (HTTP) to take control ...
CISA issues new Cybersecurity Alert on May 5, 2020 to warn of APT groups exploiting COVID-19 pandemic. APT actors use password sprays to hack into pharmaceutical, medical research organizations, universities and their supply chains, and steal “bulk personal information, intellectual property and intelligence that aligns with national ...
Wyatt Offers Data Security Tips for “New Normal” of Telework. As office workers and healthcare providers switched to telework and telehealth under state stay-at-home orders, malicious cyber actors were ramping up to take advantage of the security gaps that would inevitably accompany such a sudden transition. Wyatt’s data privacy counsel ...
COVID-19 expanded the use of telehealth and it's likely here to stay. Cyber criminals are taking advantage of healthcare's quick turn to audio-video platforms without having taken time to protect health information from unauthorized disclosure. Here are some tips to ensure your audio-video communication is secure ...
By Lindsay K. Scott
Following expansion by the Department of Human Health Services’ Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of federal telehealth services and relaxation of certain requirements, Kentucky Medicaid is following suit.
On March 17, 2020, the Centers for Medicare and ...
CMS proposes new Medicare Conditions of Participation for hospitals that will require hospital EHRs to send electronic event notifications to other providers when a patient has been admitted, discharged or transferred. CMS is seeks stakeholder input, including timeframe for implementation. Comments are due by Friday, May 3, 2019 ...
By Margaret Young Levi and Kathie McDonald-McClure
Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S ...
Allscripts' ransomware attack on its cloud-based platforms triggers HIPAA compliance obligations for "covered entities" who entered patient health information on those platforms. A putative class action lawsuit filed on behalf of providers using the Allscripts platforms alleges the attack was a HIPAA "breach". Providers who used these ...
On Wednesday afternoon, May 3, 2017, cybercriminals appeared to have launched a massive malicious email campaign. The emails ask the recipients to click on a link to view a document purportedly shared on Google Docs. Upon clicking the link, the account owner is asked to enter their Google account log-on credentials. The cybercriminals use the ...
The Federal Trade Commission (FTC) Bureau of Consumer Protection released a study this month (March 2017) indicating that business entities could be doing more to stop malicious emails from hitting the inboxes of employees. The goal behind many malicious emails is to trick individuals into turning over either their own confidential ...
Blockchain technology may solve healthcare IT's security and interoperability challenges. The HHS ONC and healthcare IT developers are rushing to explore its capabilities and launch opensource development tools.
Wyatt Tarrant & Combs, LLP is sponsoring the Kentucky Chamber’s Cyber Security and Data Privacy seminar on Tuesday, February 28, 2017, at the Griffin Gate Marriott Resort in Lexington, Kentucky. We’ve put together a terrific panel of presenters, including, among others, representatives of Homeland Security and Crowdstrike, the firm ...
The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements ...
The United States Court for the Eleventh Circuit granted LabMD's motion to stay enforcement of the FTC's Final Order, holding that there was no proof that LabMD’s failure in securing the privacy of the patient data at issue caused injury or harm or that it was “likely to cause” injury or harm
On July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ). The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act. ...
On July 11, 2016, the HHS Office for Civil Rights issued a Fact Sheet about Ransomware for entities subject to HIPAA. Due to the unique nature of ransomware in making computer data inaccessible, OCR notes that patients may still need to be notified if care is compromised as a result of a ransomware attack. The HIPAA standard that presumes there is a breach ...
By Kathie McDonald-McClure
We recently posted an article about Tennessee's amendment to its data breach notification law. This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country. As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine
The Department of Health and Human Services's Office for Civil Rights (OCR) announced last week that it has launched Phase 2 of its HIPAA Audit Program. Under this Audit Program, OCR will review whether entities subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Data Breach Notification ...
Earlier this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two, multimillion dollar settlements relating to “potential” privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both settlements stem from the entity’s reports to OCR ...
As the April 15th tax filing deadline draws near, cybercrime related to filing fraudulent tax returns to obtain tax refunds has picked up. On March 1, 2016, the United States Internal Revenue Service (IRS) issued an Alert for Payroll & HR Professionals on scam emails that attempt to trick company personnel into turning over employee W-2s ...
UPDATE: Senate Bill 23 did not become law during 2016 Kentucky Legislative Session. The bill was passed unanimously by the Senate. It was then sent to the House, where it was read twice, amended, but never read for the third and final time.
Overview
The Commonwealth of Kentucky’s General Assembly is considering a bill which would permit parents ...
On Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for "personal health records" (PHRs), which was the emerging ...
One of the goals of our HITECH Law blog is to start dialogue and share information and insights in the ever changing world of cyber security. In our previous post, “Ten Easy Cyber Security Measures…”, we relayed some information from the FBI about thieves breaking into gas pumps and inserting card readers. One of our readers sent us some ...
The Wyatt, Tarrant & Combs Data Privacy & Security Services Team offers 10 cyber security New Year's resolutions to help protect you and your business in 2016. Read the tips on the Wyatt HITECH Law Blog!
Data privacy and security issues are bursting at the seams in ALL industry sectors due to the ability to connect to the internet through networks, apps and a multitude of devices that enable individuals and organizations to collect, transmit, store and use information in a multitude of ways. Connecting to the internet poses privacy and security ...
