For years, corporate boards have hired third-party companies to conduct financial audits to assure that there is no fraud or other breaches of fiduciary responsibility by management. Cyber risks should be managed similarly. Who can thoroughly evaluate whether management is prepared to protect the company when its systems are attacked or when a data breach occurs? Is management prepared to execute the company’s incident response plan, or is it just sitting on the shelf untested?

On Oct. 18, 2019, the Securities and Exchange Commission (SEC) Division of Investment Management staff published Frequently Asked Questions Regarding Disclosure of Certain Financial Conflicts Related to Investment Adviser Compensation (FAQs). Many in the industry view the FAQs as overdue SEC guidance in an area that has been a focus of the SEC Division of

The Office of Inspector General (“OIG”) recently launched a new, redesigned hotline webpage to better guide the public through the tip and complaint reporting process. The OIG hotline operations accepts tips and complaints from all sources regarding potential fraud, waste, abuse, and mismanagement in the U.S. Department of Health and Human Services’ (“HHS”) programs. The

A recent letter from researchers at the Mayo Clinic to the editor of The New England Journal of Medicine outlined a new challenge in de-identifying, or preserving the de-identified nature of, research and medical records.[1]  The Mayo Clinic researchers described their successful use of commercially available facial recognition software to match the digitally reconstructed images of research subjects’ faces from cranial magnetic resonance imaging (“MRI”) scans with photographs of the subjects.[2]  MRI scans, often considered non-identifiable once metadata (e.g., names and other scan identifiers) are removed, are frequently made publicly available in published studies and databases.  For example, administrators of a national study called the Alzheimer’s Disease Neuroimaging Initiative estimate other researchers have downloaded millions of MRI scans collected in connection with their study.[3]  The Mayo Clinic researchers assert that the digitally reconstructed facial images, paired with individuals’ photographs, could allow the linkage of other private information associated with the scans (e.g., cognitive scores, genetic data, biomarkers, other imaging results and participation in certain studies or trials) to these now-identifiable individuals.[4]

The Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 requires agencies to adjust civil monetary penalties for inflation annually. Effective November 5, 2019, the Department of Health and Human Services released updated civil monetary penalties for the regulations its agencies are responsible for enforcing.

Below are key changes applicable to healthcare providers.

  • The

    • In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR.

    The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has collected over $2.15 million in civil penalties from Miami-based Jackson Health System (JHS) for multiple violations of the Security and Breach Notification Rules under HIPAA. JHS is a nonprofit academic medical system that serves approximately 650,000 patients a year in six major hospitals and a network of affiliated healthcare facilities. This is the first publicized imposition of civil monetary penalties under HIPAA in recent years, in contrast to the many publicized settlements of alleged violations, indicating that JHS’ violations were severe.

    As discussed in a previous McGuireWoods alert, on Oct. 9, 2019, the Department of Health and Human Services announced two proposed rules to significantly amend the Physician Self-Referral Law (Stark Law), the federal Anti-Kickback Statute (AKS) and the Civil Monetary Penalties Law. This client alert, the first in McGuireWoods’ summary series on these proposed

    Recent headlines have detailed foreign-state actors targeting utilities and independent power producers in the United States to gain access to critical infrastructure at the nation’s utilities and military installations.[1]  Cybersecurity practices within the independent power industry vary widely depending on the asset type and the operator’s sophistication.  Despite this risk, purchase agreements and credit agreements for renewable energy facilities do not typically address compliance with cybersecurity standards.  Generic representations and covenants relating to compliance with law or maintenance of project assets in compliance with prudent industry practices inadequately protect acquirers and lenders from cybersecurity risks.  The overwhelming majority of renewable power projects are considered low impact under NERC’s Critical Infrastructure Protection standards and, thus, not subject to significant regulation.[2]