HIPAA compliance audits

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

On January 13, 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services, briefed reporters on the agency’s HIPAA enforcement priorities, noting a focus on threats to electronic health information, or ePHI.  Samuels highlighted an increase in infiltration of computer networks reported under the breach notification requirements, explaining that hacking and other cyberthreats are affecting not just covered entities like health care providers, insurers and clearinghouses, but also business associates handling ePHI on behalf of covered entities.  Despite this concern, it is unclear when OCR will launch its HIPAA compliance audits of covered entities and business associates, which were slated to begin in early 2015. 
Continue Reading HIPAA 2015 Enforcement Priorities Highlight Cyber Threats, But Timing of HIPAA Compliance Audits Still Uncertain