Shortly after our prior blog post discussing the need for healthcare entities to shore up protections against phishing attacks, the Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory (CSA) to alert members of the healthcare industry of indicators of compromise and tactics, techniques, and procedures used in phishing social engineering campaigns. This recent guidance underscores that phishing attacks have the attention of the FBI and HHS, and that health systems should proactively update their policies, procedures, and security to remain compliant with industry standards.
Health Law Scan
Legal Insights and Perspectives for the Healthcare Industry
Phishing, the act of impersonating a person or business to deceive a target into revealing sensitive information, has quickly become the tool of choice for scammers and cybercriminals. In 2023, the Federal Bureau of Investigation’s (FBI’s) Internet Crime Complaint Center noted that there were 298,878 complaints of phishing, a significant increase from the 114,702 cases reported in 2019.
The US Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement agreement on June 15, 2023 with not-for-profit community hospital Yakima Valley Memorial Hospital (Yakima) related to Yakima employees’ snooping in medical records that resulted in the breach of protected health information (PHI).
Throughout the COVID-19 pandemic and related public health emergency (PHE), the US Department of Health and Human Services, Office for Civil Rights (OCR) issued four Notifications of Enforcement Discretion (referred to as “waivers”) designed to offer flexibility to healthcare providers battling the virus. On April 11, the OCR announced that these waivers will officially expire on May 11, 2023, in conjunction with the end of the PHE. While it is not unexpected that the OCR is pulling back these waivers, healthcare providers must ensure that their ongoing operations are fully compliant with the OCR’s HIPAA-related requirements. This blog post details the list of waivers issued by the OCR that will expire on May 11.
Last month we had an incredibly insightful Fast Break analyzing a significant HIPAA enforcement victory for The University of Texas MD Anderson Cancer Center (MD Anderson) in the US Court of Appeals for the Fifth Circuit. If you missed our live program with Morgan Lewis partner Scott McBride and MD Anderson Deputy Chief Compliance Officer Krista Barnes, you can still view the presentation, or check out the highlights below.
Our healthcare team recently published a LawFlash on a significant victory in the US Court of Appeals for the Fifth Circuit for The University of Texas MD Anderson Cancer Center. The case involved an appeal of a proposed civil money penalty (CMP) related to a Health Insurance Portability and Accountability Act data breach enforcement action brought by the US Department of Health and Human Services' Office for Civil Rights (OCR).
As we noted in our previous Health Law Scan blog CMS Issues Program Instructions for Medicare Telehealth Waiver, CMS issued program instructions on March 17 to implement the Medicare telehealth waiver in response to the coronavirus (COVID-19) crisis.
CMS issued program instructions on March 17 (through a Fact Sheet and FAQ) to implement the Coronavirus Preparedness and Response Supplemental Appropriations Act (CPRSAA), which was enacted on March 6 in response to the coronavirus (COVID-19) crisis.