Data Privacy and Security

Long before enactment of HIPAA, substance use disorder (“SUD”) treatment records have enjoyed confidentiality protections under 42 C.F.R. Part 2 (“Part 2”). Since HIPAA/HITECH and related regulations went into effect, SUD treatment providers that are subject to Part 2 (“Part 2 programs”) have struggled to make sense of the inconsistencies between Part 2 and HIPAA. For example, Part 2 programs cannot rely on HIPPA’s treatment, payment or health care operations exception to the authorization requirement because Part 2 is more restrictive than HIPAA and only permits disclosure of Part 2 records without a consent under limited circumstances. These types of inconsistencies, historically, have created numerous operational burdens for Part 2 programs and impeded care coordination.

Part 2 plays an important role to help address concerns that discrimination and fear of prosecution would deter individuals from seeking SUD treatment. It has been challenging for regulators to balance the heightened need for confidentiality of SUD treatment records with the need for sufficient operational flexibility to allow for effective care coordination and treatment.

HHS issued a Notice of Proposed Rulemaking (“NPRM”) proposing rules that implement statutory amendments to section 290dd-2 of title 42 United States Code (42 U.S.C. § 290dd-2) enacted in section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Public comments on the NPRM were due by January 31, 2023. HHS is proposing to give providers 24 months to comply with the changes after the publication of the final rule, but it has welcomed comments on whether that compliance period is sufficient.[i]Continue Reading New Proposed Part 2 Rules Aim for Greater HIPAA Alignment

In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge.

Used primarily as ’banking Trojans” to steal credentials and financial information, these intrusive, fast-replicating Trojans spread quickly. Emotet is polymorphic, which makes it difficult for traditional antivirus solutions to detect.  It worms its way through a network, generally using phishing emails from compromised systems to spread as quickly as possible. Once it’s infected enough computers, it will “drop” (install) other malicious programs, especially TrickBot, which has all sorts of modular, built-in tools to discover system information, compromise that system and steal data.

The presence of either of these Trojans on a network is a serious threat. Both of these Trojans are closely related; where you see one, you often see the other. To help visualize how they work, think about them like a team of professional robbers:

  • Emotet is the ‘strike team’ hired to get Trickbot through as many doors as possible, by exploiting vulnerabilities or by stealing keys
  • Trickbot is the professional ‘safe-cracking team’ the Emotet strike team gets in the door
  • Trickbot might install ransomware to collect a ransom, or maybe just cover their tracks when they’re done. When it installs ransomware, it’s often Ryuk.

Continue Reading Trickbot and Emotet Financial Malware Now Attacking the Healthcare Industry

In late January, the U.S. Department of Health and Human Services’ Healthcare & Public Health Sector Coordinating Council issued a new cybersecurity guidance document for healthcare businesses of all sizes. The guidance document, entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx, provides concrete and practical guidance for addressing what the Council has identified as the “most impactful threats . . . within the industry” and serves as a renewed call to action for implementation of appropriate cybersecurity practices. This document is critical reading for healthcare business managers faced with ever-increasing cybersecurity risks and the attending risks to patient safety and operational continuity, business reputation, financial stability, and regulatory compliance.
Continue Reading HHS Issues Practical New Cybersecurity Guidance for Healthcare Businesses of all Sizes

The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement