On December 27, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) decided it was time to give the HIPAA Security Rule a much-needed cybersecurity makeover—and let’s just say, it’s not just a light touch-up. These proposed changes mean stricter security rules, fewer loopholes, and a whole lot more paperwork for covered entities, business associates, and especially Health Information Exchanges (HIEs) and Health Information Networks (HINs).
During the Fall 2024, the HHS OCR concluded 3 investigations resulting in settlement payments relating to ransomware incidents. In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. there has been a 264% uptick in large ransomware breaches since 2018.
Attorneys at Oscislawski LLC together with the New Jersey Hospital Association present this highly informational Webinar on compliance steps hospitals can take to attempt to manage the risks associated with use of technologies that include online tracking tools.
The forecast for Arizona is thunderstorms, at least for at least one health care system. Last week, OCR announced a $1.25 settlement for HIPAA Security Rule violations brought to light by a cybersecurity hacking incident that took place over five years ago.
The chickens have come home to roost for GoodRx. The FTC has assessed a $1.5 Million penalty against the telehealth and prescription drug discount provider for failing to report unauthorized disclosures as required by the Health Breach Notification Rule.
A preliminary class action data breach settlement involving UnityPoint Health should prompt health care organizations to take a second look at their breach insurance coverage as well as their contracts with vendors who process data on their behalf. Adequate cyber and breach insurance coverage is paramount and should be commensurate with the health care organization’s size, operations. Additionally, health care organizations should pay close attention to their vendor contracts, particularly limitation of liability clauses, hold harmless provisions and indemnification provisions in health IT and other contracts.
Becker’s Hospital Review reported that 70% of CIOs are “concerned” about meeting the upcoming November 2nd deadline for complying with the Final Rules prohibiting information blocking practices. This is according to a survey conducted by CHIME, which included responses from executives at academic medical centers, critical access hospitals, multi-hospital systems and specialty hospitals. Although the survey did not appear to identify specifically what concerns CIOs about complying with information blocking rules by this fall, one possibility is fully understanding how ONC’s information blocking rules will apply to releasing patients’ EHI to third-party apps.
