When dealing with a cybersecurity incident response, nonprofit healthcare systems have different constituents to consider. Patients and staff who risk having personal information exposed or procedures postponed are the most important, but bondholders of a system’s debt also will want to know about the incident. The Securities and Exchange Commission recently updated its Compliance and
Password Protected Blogs
Latest from Password Protected
Ounce of Prevention: Do You Have Business Associate Agreements With Every Required Party?
Applicable Provider Types: All
Is Your Entity in Compliance?
The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires Covered Entities (CEs), Business Associates (BAs) and Business Associate subcontractors to enter into written agreements governing each party’s rights and…
Ounce of Prevention: Is It Time to Perform a Security Risk Assessment?
Applicable Provider Types: All
Is Your Entity in Compliance?
The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires covered entities and their business associates to implement policies and procedures to prevent, detect, contain and correct security violations. Under…
Navigating Cybersecurity and Data Privacy Regulations in the Insurance Industry
For over 100 years, the National Association of Insurance Commissioners (NAIC) has been developing model legislation to encourage uniformity among states for the regulation of insurance products. The NAIC model laws and guidelines are proposed statements of insurance regulation for all 50 states as well as the other jurisdictions (such as D.C. and Guam). Once…
Homeland Security and HHS Release Interactive Healthcare Cybersecurity Toolkit
In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.…
Illinois Supreme Court: Certain Collected Biometric Data Is Exempt From BIPA Protections
On Nov. 30, the Illinois Supreme Court, in Mosby v. The Ingalls Memorial Hospital et al., held that certain healthcare providers’ biometric data, used for healthcare operational purposes under the Health Insurance Portability and Accountability Act, is not protected under the Illinois Biometric Information Privacy Act. Read on for details about this development and why…
Changes Coming to Rules for Handling Children’s Data
On Dec. 20, 2023, the Federal Trade Commission announced its intent to file a notice of proposed rulemaking related to the Children’s Online Privacy Protection Rule — the first proposed changes to the rule in 10 years.
What are some of the key proposed changes?
- Separate Opt-In for Targeted Advertising. Covered service operators are required
…
Merck Cyberattack Settlement Renews Spotlight on War Exclusions in 2024
Last week, Merck & Co. filed documents with the Supreme Court of New Jersey indicating that it reached a settlement with its “all risk” property insurers in a long-running coverage dispute involving over $1.4 billion in losses stemming from a 2017 NotPetya cyberattack that impacted tens of thousands of Merck computers. Read on for analysis…
New Jersey Becomes the Latest State to Enact a Comprehensive Data Privacy Law
On January 16, 2024, New Jersey became the thirteenth state to enact a comprehensive data privacy law, named the New Jersey Data Privacy Act (the “NJDPA”).
The NJDPA, which will take effect on January 15, 2025, includes some provisions that are different from other data privacy laws, thereby requiring entities that fall within its scope…
Can Any Data Breach Investigation Report Deserve Protection? Part I
Companies and even law firms suffer data breaches, and usually claim privilege and work product protection for the inevitable resulting investigation. Unfortunately, courts seem to have rejected such protection claims in all but a few cases. Most of the other data breach victims have tried to emulate two of the winners, but have failed.
In…