On May 25, 2018, European law officially enforced the General Data Protection Regulation (GDPR). The GDPR was created to protect the personal data of EU citizens. This article examines two GDPR-compliant encryption methods in this article: standard encryption and pseudonymization.
Healthcare has now surpassed nuclear power and financial services as the most highly regulated industry in the U.S. - and for good reason. The health, safety, and privacy of individual patients and the public at large is at stake.
For better or for worse, there exists a complex web of local, state, and federal laws and regulations that govern the businesses of healthcare providers and healthcare companies - from patient safety and privacy protections, to corporate transactions and contractual relationships. Navigating this complicated landscape requires a deep understanding of the risks and opportunities inherent in the healthcare industry—namely, it requires an experienced healthcare attorney.
On January 2, 2018, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a Final Rule, amending 42 C.F.R Part 2 (“Part 2”), creating new changes to the federal rules governing confidentiality and disclosures of patient substance use disorder (“SUD”) records for the first time since 1987. Part 2 protects the confidentiality of SUD records, which are subset of protected health information (PHI). This means that these records are subject to HIPAA, but are also protected by Part 2, which contains additional (and more stringent) federal protections. These overlapping standards can make the storage and disclosure of patient records administratively burdensome for healthcare providers, patients and their families. It is also a challenge for technology companies that store, analyze, and transmit patient records on behalf of providers and patients.
Health IT vendors are under incredible pressure to represent to customers that their hardware and software solutions are impervious to cyber threats. Pick any major trade show and the first line you'll hear from exhibitors is that their solution is HIPAA-compatible, and, even more misleading, HIPAA-compliant. It's important that vendors understand overstating security protocols and capabilities can have major legal and financial implications.
On January 6, 2016, in a dramatic national press conference, President Obama announced several actions by his administration to address gun violence in the US. One of these actions is a long-planned modification to the Health Insurance Portability and Accountability Act (HIPAA). The same day, the Department of Health and Human Services (HHS) published a Final Rule adding a permitted disclosure to the HIPAA Privacy Rule, which expressly permits a limited number of Covered Entities to disclose protected health information (PHI) of certain individuals to the National Instant Criminal Background Check System (NICS). The modification is aimed at removing one barrier to expanding the quality of the information in NICS, which is used by firearms vendors to disqualify potential purchasers who are federally barred from owning firearms.