A recent letter from researchers at the Mayo Clinic to the editor of The New England Journal of Medicine outlined a new challenge in de-identifying, or preserving the de-identified nature of, research and medical records.[1]  The Mayo Clinic researchers described their successful use of commercially available facial recognition software to match the digitally reconstructed images of research subjects’ faces from cranial magnetic resonance imaging (“MRI”) scans with photographs of the subjects.[2]  MRI scans, often considered non-identifiable once metadata (e.g., names and other scan identifiers) are removed, are frequently made publicly available in published studies and databases.  For example, administrators of a national study called the Alzheimer’s Disease Neuroimaging Initiative estimate other researchers have downloaded millions of MRI scans collected in connection with their study.[3]  The Mayo Clinic researchers assert that the digitally reconstructed facial images, paired with individuals’ photographs, could allow the linkage of other private information associated with the scans (e.g., cognitive scores, genetic data, biomarkers, other imaging results and participation in certain studies or trials) to these now-identifiable individuals.[4]

The Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 requires agencies to adjust civil monetary penalties for inflation annually. Effective November 5, 2019, the Department of Health and Human Services released updated civil monetary penalties for the regulations its agencies are responsible for enforcing.

Below are key changes applicable to healthcare providers.

  • The

    • In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR.

    The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has collected over $2.15 million in civil penalties from Miami-based Jackson Health System (JHS) for multiple violations of the Security and Breach Notification Rules under HIPAA. JHS is a nonprofit academic medical system that serves approximately 650,000 patients a year in six major hospitals and a network of affiliated healthcare facilities. This is the first publicized imposition of civil monetary penalties under HIPAA in recent years, in contrast to the many publicized settlements of alleged violations, indicating that JHS’ violations were severe.

    As discussed in a previous McGuireWoods alert, on Oct. 9, 2019, the Department of Health and Human Services announced two proposed rules to significantly amend the Physician Self-Referral Law (Stark Law), the federal Anti-Kickback Statute (AKS) and the Civil Monetary Penalties Law. This client alert, the first in McGuireWoods’ summary series on these proposed

    Recent headlines have detailed foreign-state actors targeting utilities and independent power producers in the United States to gain access to critical infrastructure at the nation’s utilities and military installations.[1]  Cybersecurity practices within the independent power industry vary widely depending on the asset type and the operator’s sophistication.  Despite this risk, purchase agreements and credit agreements for renewable energy facilities do not typically address compliance with cybersecurity standards.  Generic representations and covenants relating to compliance with law or maintenance of project assets in compliance with prudent industry practices inadequately protect acquirers and lenders from cybersecurity risks.  The overwhelming majority of renewable power projects are considered low impact under NERC’s Critical Infrastructure Protection standards and, thus, not subject to significant regulation.[2]

    Continuing our coverage of cybersecurity issues during National Cybersecurity Awareness Month (NCSAM), we have identified 5 important cybersecurity questions and talking points you can use to start a meaningful cybersecurity conversation at your business.

    Counsel and business executives take note: cybersecurity is not just an IT problem, robust cybersecurity starts with a healthy dialogue between legal, business, and IT. The chart below illustrates how failure to engage in meaningful oversight of your company’s data and systems security will create costly, significant, and unnecessary risk.

    (https://digitalguardian.com/blog/whats-cost-data-breach-2019)

    The good news is that you need not be an IT expert to oversee your company’s cybersecurity risk. You do not need to be able to write code, or to know exactly what software is needed to keep the company’s data secure. The first step is to open a healthy dialogue with your IT professionals – a dialogue that will allow you to assess more capably your company’s readiness to counter a broad range of exploitation techniques.

    Try calling your CISO or CIO and asking these questions:

    On June 5, 2019, the SEC adopted Regulation Best Interest (“Reg BI”), which requires broker-dealers and associated persons to make recommendations regarding securities transactions (or investments involving securities) that are in the “best interest” of their retail clients. The SEC also adopted Form CRS, requiring broker-dealers and investment advisers to provide a brief relationship summary

    Social media posts have become so common and reflexive that people often fire off posts without appropriately considering the consequences.  This can be costly on multiple fronts.  In the health care context, beyond the risk of losing patients (and the revenue they bring), inappropriate posts can result in Health Insurance Portability and Accountability Act (HIPAA) violations.  Indeed, as the Director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has stated, “Social media is not the place for providers to discuss a patient’s care… [doctors] and dentists must think carefully about patient privacy before responding to online reviews.”  Of course, this warning is not limited to dentists; all health care providers should take heed.