Are you a business that has had a data breach? Will your customers be able to sue you?

Class actions for damages resulting from a data breach are difficult to succeed upon unless there is an identifiable harm.  Once again a court has determined that the mere loss of data is not sufficient to confer standing (Chambliss v. CareFirst, Inc.,  No. RDB-15-2288 [D. MD., May 27, 2016]).  With the decision in Chambliss, Maryland […]

OCR Announces that the Phase 2 HIPAA Audit Program Has Already Started

The HHS Office for Civil Rights (OCR) just announced that its Phase 2 HIPAA audit program has started and that covered entities and business associates are already being contacted. You can find this announcement here. OCR has begun sending emails to verify contact information for various covered entities and business associates and determine which entities […]

ATTENTION ALCOHOLISM AND SUBSTANCE ABUSE SERVICES PROVIDERS: SAMHSA’s Proposed Changes to 42 CFR Part 2 Address Key Integration Issues, Raise Other Questions About Compliance Responsibilities

In an earlier post, we highlighted that the federal Substance Abuse and Mental Health Services Administration (“SAMHSA”) submitted a proposed rule for public comment in the February 9, 2016 edition of the Federal Register, see 81 FR 6988, proposing a number of changes to 42 CFR Part 2 (“Part 2”), the federal regulations governing the […]

SAMHSA Submits Proposed Changes to 42 C.F.R. Part 2

Alcoholism, substance abuse and chemical dependency treatment providers should be aware that the Substance Abuse and Mental Health Services Administration (“SAMHSA”) has promulgated proposed changes to regulations regarding the privacy and confidentiality of what are now called “substance use disorder” treatment records.  Those privacy regulations, which are located at 42 C.F.R. Part 2, are well […]

Disclosure Of Student Mental Health Records: Teachable Moment From Oregon

This month’s column in the Albany County Bar Association Newsletter reviews the situation that unfolded earlier this year at the University of Oregon.  The university, which had been put on notice of a tort claim by a student in connection with an alleged sexual assault,  controversially obtained the treatment records of the same student from an on-campus […]

Beware of Broadening Data Security Requirements – A National Trend

In the wake of some of the largest data security breaches in history, including the massive breach of government computer systems in June that compromised the sensitive information of 21.5 million people, several states have recently amended their current data security laws.  The recent amendments will likely give data security statutes more bite by providing […]

A Boston hospital pays when its employees neglect HIPAA

After two investigations by the United States Department of Health and Human Services, Office for Civil Rights (“HHS”), St. Elizabeth’s Medical Center, a Boston-based hospital, has agreed to a Resolution Agreement with HHS. The Resolution Agreement appears to settle two apparently unrelated HIPAA issues at the same facility in 2012 and 2014.

New York Proposes Overhaul of Its Data Breach Statute and a New Data Security Standard in the Wake of Recent Cyber Attacks

The largest data security breaches ever reported have occurred in the last several years. The organizations whose data security systems were compromised in connection with these massive breaches include Anthem, Ebay, Target, Home Depot, JP Morgan Chase, Adobe and now the federal government’s Office of Personnel Management. Not only is the scope of these breaches […]