Recent Updates in Data Privacy & Security for Health Care Entities

March was a busy month for data privacy and security, especially as it relates to health care entities. To help keep you up to date with the changes, we’ve included a few highlights for you below:

1. HIPAA Enforcement Action Updates: This week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) resolved three investigations and one matter relating to compliance with the HIPAA Privacy Rule. Two of the cases relate to OCR’s ongoing Right of Access Initiative, aimed at supporting individuals right to timely and cost-effective access to their health care records. These two Right of Access cases resulted in one $30,000 settlement and one $50,000 civil money penalty. The other two enforcement actions related to impermissible disclosures of protected health information by providers and resulted in settlements of $28,000 and $62,500.

1. Utah Consumer Privacy Act (UCPA): Utah has now become the fourth state in the United States to enact comprehensive data privacy legislation, joining California, Colorado, and Virginia. While the UCPA is not effective until December 31, 2023, entities will need to focus on meeting compliance requirements before the effective date. Businesses would need to meet both a financial threshold (annual revenue of $25 million) and a volume of data threshold in order for the UCPA to apply. The law contains several exceptions that may be applicable to health care entities, including for example exceptions for (1) Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates; (2) protected health information under HIPAA; (3) patient identifying information under 42 C.F.R. Part 2; and (4) identifiable private information in certain research scenarios.

1. Introduction of Healthcare Cybersecurity Act: In light of recent increased threats of cyberattacks against the United States, a bipartisan bill has been introduced in Congress aimed at protecting sensitive health care data. The bill would require the Cybersecurity and Infrastructure Security Agency (CISA) and the HHS to collaborate in order to improve cybersecurity in the health care sector and public health sector, authorize cybersecurity training for entities in these sectors, and require CISA to conduct a study on specific cybersecurity risks facing entities in these sectors.

For more information regarding these updates or other data privacy and security related questions in the health care industry, contact your Quarles & Brady attorney or:

• Rachel H. Weiss: (414) 277-5829 / rachel.weiss@quarles.com
• Meghan C. O'Connor: (414) 277-5423 / meghan.oconnor@quarles.com