radar Health Law Scan

Legal Insights and Perspectives for the Healthcare Industry
Shortly after our prior blog post discussing the need for healthcare entities to shore up protections against phishing attacks, the Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory (CSA) to alert members of the healthcare industry of indicators of compromise and tactics, techniques, and procedures used in phishing social engineering campaigns. This recent guidance underscores that phishing attacks have the attention of the FBI and HHS, and that health systems should proactively update their policies, procedures, and security to remain compliant with industry standards.
Phishing, the act of impersonating a person or business to deceive a target into revealing sensitive information, has quickly become the tool of choice for scammers and cybercriminals. In 2023, the Federal Bureau of Investigation’s (FBI’s) Internet Crime Complaint Center noted that there were 298,878 complaints of phishing, a significant increase from the 114,702 cases reported in 2019.
Washington’s My Health My Data Act (MHMDA), signed into law last year, is here and goes into effect on March 31, 2024, with small businesses having until June 30, 2024 to comply. As previously reported, the new data privacy law is broad and will have significant impact for both Washington residents and persons whose business or data flows through the state. In brief, the legislation is intended to protect consumer health data not otherwise protected by state and federal healthcare privacy regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued long awaited updates to the regulations at 42 CFR Part 2 (Part 2) on February 16, 2024. Part 2 is a critical set of rules protecting the privacy of patients receiving substance use disorder (SUD) treatment services and their associated clinical records.
In the first win for defendants facing Illinois Biometric Information Privacy Act (BIPA) litigation before the Illinois Supreme Court, the Court in Mosby v. Ingalls Memorial Hospital held that BIPA excludes from its protections the biometric information of healthcare workers where that information is collected, used, or stored for healthcare treatment, payment, or operations.
The US Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement agreement on June 15, 2023 with not-for-profit community hospital Yakima Valley Memorial Hospital (Yakima) related to Yakima employees’ snooping in medical records that resulted in the breach of protected health information (PHI).
Throughout the COVID-19 pandemic and related public health emergency (PHE), the US Department of Health and Human Services, Office for Civil Rights (OCR) issued four Notifications of Enforcement Discretion (referred to as “waivers”) designed to offer flexibility to healthcare providers battling the virus. On April 11, the OCR announced that these waivers will officially expire on May 11, 2023, in conjunction with the end of the PHE. While it is not unexpected that the OCR is pulling back these waivers, healthcare providers must ensure that their ongoing operations are fully compliant with the OCR’s HIPAA-related requirements. This blog post details the list of waivers issued by the OCR that will expire on May 11.
On February 9, 2022, US Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced bipartisan legislation designed to modernize health privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and account for emerging healthcare technologies not addressed by existing law.
The new Civil Cyber-Fraud Initiative of the US Department of Justice’s use of the punitive False Claims Act (FCA) and its whistleblower provisions has some important legal and risk management considerations for the health industry. Because enforcement will initially occur largely through civil investigations applying the FCA in the broadest possible way, healthcare organizations should undertake a priority assessment of their cybersecurity status to ensure that their practices can withstand hacks, whistleblowers, and government scrutiny.
Members of our emerging business and technology team recently hosted a webinar on seed financing structures for digital health companies. The program, led by partner Benjamin David Novak and associate Jessica Lee, discussed the market trends in digital health company financings as well as the various deal structures frequently used in seed financings.