Attorneys at Oscislawski LLC together with the New Jersey Hospital Association present this highly informational Webinar on compliance steps hospitals can take to attempt to manage the risks associated with use of technologies that include online tracking tools.
Continue Reading WEBINAR: Managing Risk with Online Tracking Technologies

Genetic testing companies, and those who partner with them, must take care to ensure that the scope of how consumers’ sensitive data is used and shared in the future aligns with the scope of consent that was granted by the consumer at the point of collection. The FTC found that a California-based genetic testing company informed consumers that it would only share consumers’ sensitive health and other personal information “in limited circumstances,” but then expanded sharing such information with new third parties, like supermarket chains. The FTC has now stepped up to protect consumers’ sensitive genetic information.
Continue Reading Genetic Testing Company Violates Privacy and Security Policies, FTC Says.

After OCR created a Morton’s Fork for hospitals and health systems by publishing its HIPAA Guidance on the Use of Online Tracking Technologies, the American Hospital Association initially stayed out of the fray. Not any more. In its letter dated May 22, 2023, AHA makes its case to HHS as to why OCR’s Online Tracking Guidance should suspended or amended.
Continue Reading AHA Writes Letter to HHS and Pushes Back on OCR’s Online Tracking Guidance

The FTC releases its second enforcement action under the Health Breach Notification Rule in just over 3 months. This time, the FTC found that a fertility app called Premom shared sensitive fertility information with third parties for unauthorized purposes. While Premom told its users that it would not share their health information with third parties without users’ consent, it used third-party automated tracking tools known as software development kits (SDKs) which shared highly sensitive health information (e.g., data about an individual user’s sexual & reproductive health, pregnancy status etc.) for advertising and marketing purposes.
Continue Reading FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

ONC says actors that require third-party apps to be “vetted” by them for security reasons before allowing patients to use such apps to receive EHI via API technology certified to the Standardized API certification criterion is likely to be information blocking. However, my concern with relying solely on the security criteria required for API certification is that it is too low of a bar to adequately protect patients and other individuals from developers of apps that fail to keep promises to keep individuals’ information confidential.
Continue Reading ONC Says “Vetting” Mobile Apps is Information Blocking

The Office of National Coordinator says it receives a lot of questions regarding how the Information Blocking Rule is supposed to work in tandem with the HIPAA Privacy Rule and other federal and state laws governing privacy and confidentiality. Their new FAQs aim to help clarify when actors can choose to not respond to a request for access, exchange, or use of electronic health information.
Continue Reading ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.

JAMA published a study earlier this week finding more than 95% wanted immediate access to test results. However, when speaking to ONC, the study’s lead researcher specifically noted that although 95.3% of patients who received abnormal test results responded that they still would like to continue to receive immediately released results, this was associated with nearly twice the likelihood of worry compared to respondents who received normal results.
Continue Reading ONC Vindicated. Patients Want Immediate Access to Test Results

The FTC issued a proposed order requiring BetterHelp to pay $7.8 million to consumers to settle charges that it shared consumers’ health data with Facebook, Pinterest, Snapchat, and Criteo after promising to keep such data private and claiming it is “certified” as “HIPAA compliant.” The real juice of this case is in the FTC compliant — and HIPAA-covered providers, facilities & organizations can learn a lot about what to watch out for with health data Apps as we continue to march towards the FHIR.
Continue Reading FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat

The forecast for Arizona is thunderstorms, at least for at least one health care system. Last week, OCR announced a $1.25 settlement for HIPAA Security Rule violations brought to light by a cybersecurity hacking incident that took place over five years ago.
Continue Reading Not So Sunny News in Arizona –  Major Health Care System Agrees to Pay $1.25 Million HIPAA Settlement for Cybersecurity Hacking Incident from 2016

The chickens have come home to roost for GoodRx. The FTC has assessed a $1.5 Million penalty against the telehealth and prescription drug discount provider for failing to report unauthorized disclosures as required by the Health Breach Notification Rule.
Continue Reading Mobile Health Apps and Vendors of Health Records Beware! – the FTC has just started Enforcing the Breach Notification Rule.

The New Year is finally here, and I believe that there will be a LOT going on in 2023!  Here are just a few of the things that Legal HIE is looking to stay on top of for our readers this year . . .
Continue Reading HAPPY NEW YEAR! A LOT will be happening in 2023!

On December 1, 2022, OCR released a “guidance” Bulletin re: “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” One of the most troubling positions OCR takes in its Bulletin is that “all IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity . . .” If your organization maintains a website, portal, FB page, mobile application etc., it must review the tracking technologies associated with these immediately.
Continue Reading Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?

SAMHSA finally fulfilled its duty under the CARES Act & releases a Proposed Rule “Confidentiality of Substance Use Disorder (SUD) Patient Records” amending the Part 2 rules in line with the CARES Act’s requirements. This is the 4th overhaul of the Part 2 Rule in 5 years…
Continue Reading Are We Getting Closer to Alignment of 42 CFR Part 2 & HIPAA?