On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health record that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  16 C.F.R. §§ 318.3, 318.5.  Third-party service providers also are required to notify covered vendors of any breach.  16 C.F.R. § 318.3.


Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and

On December 2, 2014, the Anchorage Community Mental Health Services (ACMHS) agreed to pay $150,000 under a settlement agreement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  ACMHS entered the settlement agreement after an OCR investigation revealed that ACMHS had failed to implement adequate security measures to guard against unauthorized access to electronic protected health information (e-PHI).  The settlement underscores the importance of regularly reviewing and addressing risks to e-PHI.
Continue Reading Recent HIPAA Settlement Highlights Need to Address Software Risks

In its Annual Report to Congress on Breaches of Unsecured Protective Health Information, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reports on both large and small breaches of protected health information (PHI), as well as breach-related settlement agreements and audits.  The Office also recommends steps that covered entities should take to reduce the likelihood of breaches, including having thorough risk analysis and risk management plans, encrypting PHI stored on portable electronic devices, and ensuring that employees are properly trained on privacy and security policies.
Continue Reading HHS Report Details Breaches of PHI, Makes Recommendations

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently released two annual reports regarding compliance with the Health Insurance Portability and Accountability Act (HIPAA) and provisions enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The reports indicate that HIPAA-related complaints continue to grow annually; however, OCR intends to focus its compliance efforts on “high-impact” cases unless it obtains additional funding.  Additionally, the reports suggest that OCR is increasingly willing to impose significant penalties and seek large monetary settlements for HIPAA violations.  Below we discuss the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, and in a separate post we address the annual report dealing with breaches.
Continue Reading HHS Report Highlights HIPAA Privacy, Security, and Breach Notification Compliance Trends