The Office for Civil Rights (OCR) has announced its fourth cybersecurity investigation and settlement, noting a 264% increase in significant ransomware breaches since 2018. A recent settlement with a medium-sized healthcare provider involved a $250,000 payment and commitments to enhance the security of Protected Health Information (PHI). This investigation and settlement underscore the critical need for robust cybersecurity measures to comply with HIPAA and protect patient data. Read more.

Leveraging AI in healthcare requires vast amounts of data, but navigating privacy and data security laws is crucial. A recent investigation into Australia’s I-MED Radiology Network highlights concerns about using medical data for AI. This case offers valuable insights for U.S. providers, especially regarding compliance with HIPAA and other regulations. Read more.

Following the national trend toward prohibiting or limiting non-compete agreements, Louisiana Senate Bill 165 limits the length and geographical scope of non-compete agreements for both specialty and primary care physicians. The law goes into effect on Jan. 1, 2025. Under Senate Bill 165, non-compete agreements for physicians must expire three years or five years from the effective date of the initial contract or agreement. Read more.

Pennsylvania Governor Josh Shapiro has signed the “Fair Contracting for Health Care Practitioners Act” (House Bill 1633), which restricts the ability of employers and healthcare practitioners to enter into non-compete agreements. The Act goes into effect on Jan. 1, 2025. The Act represents a significant shift in the employment landscape for healthcare practitioners in Pennsylvania and is part of a growing trend of greater scrutiny of restrictive covenants, especially in the healthcare industry. Read more.

Rhode Island Governor Dan McKee signed a new law (R.I. Gen. Laws § 5-34-50) that prohibits the enforcement of non-competition agreements with advanced practice registered nurses (APRNs) in the state on June 17, 2024. Surprisingly, only three days after the APRN prohibition was enacted, the Rhode Island legislature sent a proposed bill containing a full ban on non-competition agreements (SB 2436) to Governor McKee for review. On June 26, 2024, Governor McKee vetoed this full ban, stating his concerns about the breadth of the proposed ban and that it exceeded the scope of the Federal Trade Commission’s April 23, 2024, final rule on non-competes. The Rhode Island legislature adjourned its 2024 legislative session on June 30, 2024, without seeking to override the governor’s veto. Read more.

In 2022, the City of Inglewood passed a healthcare worker minimum wage ordinance. The new $25.00 minimum wage applies to private-sector healthcare employees who work in hospitals, integrated health systems, and dialysis clinics in Inglewood. The new minimum wage applied to clinicians, nurses, certified nursing assistants, aides, technicians, maintenance workers, janitorial or housekeeping staff, groundskeepers, guards, food services workers, laundry workers, and pharmacists but does not include managers or supervisors. Read more.

The healthcare industry is among the most highly regulated industries when it comes to privacy protections. In addition to the federal Health Insurance Portability and Accountability Act (HIPAA), healthcare providers also must comply with a growing number of state laws governing data privacy and security. Fully complying with this patchwork of privacy protections is a complex task because these laws often classify different kinds of personal information as “protected information” and impose varying security and reporting requirements.

For example, HIPAA protects certain “individually identifiable health information,” often referred to as “protected health information” or PHI. HIPAA requires covered entities to adopt and implement a plethora of policies and technical safeguards to protect PHI. The California Consumer Privacy Act (CCPA), a relatively new law, protects consumers regarding the collection, use, processing, deletion, sale, and security of personal information, among other things, and also imposes obligations on businesses regarding the same. Healthcare providers who are HIPAA covered entities are exempt from the CCPA with respect to protected health information. However, HIPAA covered entities are not exempt when functioning as an employer with respect to the personal information of their employees who reside in California and therefore must comply with the CCPA to the extent it applies to them as employers.

With the growing number of state laws governing privacy protection, healthcare organizations must be sure their compliance efforts consider state law in addition to HIPAA. Meshing these obligations into one cohesive privacy protection system can be complicated. (See Personal Information, Private Information, Personally Identifiable Information…What’s the Difference?). A recent article by our Jackson Lewis Privacy, Data and Cybersecurity practice group addresses these issues. The article breaks down some factors that may trigger business obligations related to personal information and applies such considerations to the healthcare industry. These factors include but are not limited to industry, business location, categories of customers, types of equipment used, specific services provided, marketing and promotion methods, the categories of information collected, and employment practices. The article also provides some examples of laws that may be triggered (although it is not exhaustive).

So, what is the takeaway? Healthcare organizations should regularly evaluate their compliance efforts around the protection of personal information. This starts with understanding the state and federal laws applicable to their business. From there, healthcare organizations must work to establish and implement policies and safeguards that meet their obligations under each of the applicable laws. Failing to meet these obligations could expose an organization to potentially significant liability and reputational harm. To ensure compliance, healthcare organizations should, at minimum, consider doing the following:

  • Implement comprehensive data safeguards;
  • Conduct cybersecurity assessments;
  • Reconsider the types of data collected and the purposes for collection;
  • Determine whether data collected is the minimum necessary to accomplish the intended purpose; and
  • Monitor pending privacy legislation.

Jackson Lewis attorneys in our Privacy, Data and Cybersecurity practice group and Healthcare industry group regularly partner with healthcare providers to ensure they are up-to-date with this rapidly evolving area of law. Please contact your Jackson Lewis attorney if you would like to learn more about these services.

Update:  On May 17, 2024, we clarified our reference to HIPAA covered entities having to comply with HIPAA and the CCPA. HIPAA covered entities are exempt from the CCPA with respect to protected health information but must comply with the CCPA when functioning as an employer with respect to the personal information of their employees who reside in California.

On April 22, 2024, the federal Department of Health and Human Services’ Office for Civil Rights (OCR) announced a final rule enhancing privacy protections relating to reproductive health care. Specifically, the final rule amends the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) to, among other things, establish new limits on the use or disclosure of protected health information (PHI) relating to reproductive health care. Read more.

Phishing has long been a favorite tactic for threat actors (hackers) to commence a cyberattack. The rapid expansion of more adaptable and available artificial intelligence (AI) technologies, such as natural language processing and large language models, now fuels more ferocious phishing campaigns. The effects are being felt in many industries, perhaps most notably the healthcare industry. One indicator of that may be the recent Office for Civil Rights (OCR) announcement of its “First Ever Phishing Cyber-Attack Investigation.” Read more.

Many HIPAA covered entities and business associates struggle with developing and implementing a sanctions policy. What should it say, is zero-tolerance required, do we have to impose discipline in every case, etc. These are examples of frequent and thorny questions that arise in connection with the development and implementation of these policies. But they are important questions to answer, especially considering the federal Office for Civil Rights (OCR) position concerning these policies. Read more.