In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act, imposed direct liability on business associates for certain violations of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the “HIPAA Rules”). The resulting 2013 HHS Office for Civil Rights (OCR) final rule modified the HIPAA Rules accordingly. In May of this year, OCR posted guidance on the HHS website reiterating the parameters of business associate liability, as follows:
Continue Reading OCR Guidance May Signal Increase in Enforcement Activity Against Business Associates

As regulators attempt to keep pace with the ever-changing technological landscape, legislation and agency guidance continue to evolve. Two recent developments worth noting:

  1. The clarification and modification of the California Consumer Privacy Act (CCPA)
  2. The release of the U.S. Department of Health and Human Service’s (HHS) voluntary cybersecurity practices for health care organizations

For insights