Health Law Blog

Select Page

Author: sjodka

How Employers Can Handle Their Biggest Threat to Data Privacy, Their Employees

Given the ever-expanding landscape of privacy laws and regulations, employers are becoming increasingly aware that they are responsible for data breaches caused by their employees. When looking to formally put obligations upon employees to modify employee conduct, employers tend to start with policy, such as in an employee handbook to allow a means of internal discipline, and move to contractual obligations, such as confidentiality/non-disclosure agreements to allow a means for criminal/civil legal penalty.  What does this mean in the employment law context in terms of disciplining employees, and what can employers do to keep employees from exposing protected/confidential data? The two case examples discussed below shed some light. With respect to employers that have privacy requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) the policy requirements have long been in place and can help guide other employers who may not have such regulated privacy requirements. Take for example a matter that finalized in June 2018 with the New York State Education Department suspending a nurse practitioner’s (NP) license for violating the privacy of patients by providing their contact information to her new employer. Come to find out, back in April 2015, the NP had taken a spreadsheet containing the personally identifiable information of approximately 3,000 patients of her former employer and gave the information to her new employer. Not surprisingly, the NP was not supposed...

Read More

The Grey’s Anatomy / Allscripts Ransomware Crossover Event: When Scripted TV Becomes Reality, the Script Goes Out the Window

For those familiar with the Shonda Rhimes juggernaut, Grey’s Anatomy, it is the story of surgical residents, fellows, and attending physicians as they work in the surgical wing of the fictional Grey Sloan Memorial Hospital. In most episodes, the situations in which the doctors find themselves in are entertaining, but not necessarily how they might play out in a real hospital setting. In the show’s latest season 14, however, Episodes 8 “Out of Nowhere” and 9 “1-800-799-7233” play out a far too-real situation for those in the healthcare space and demonstrate just what type of damages and disruption cyber hacking can do to a healthcare provider. In those episodes, the hospital’s computer system is infected with ransomware that encrypts and holds hostage all of the hospital’s patients’ records until a ransom is paid in Bitcoin in an amount equivalent to $20 million USD. The fictional ransomware attack took out not only the hospital’s access to electronic patient records, essentially sending the doctors back to the Stone Age in terms of working with paper records and taking notes regarding patient activity, but also rendered inaccessible the hospital’s physical systems that were controlled by the now-encrypted computer system, such as the hospital’s blood and pharmaceutical supplies. While the eventual solution for Grey Sloan is one of Shondaland fiction (no spoilers here), the attack itself and the initial ramifications and responses to...

Read More

HIPAA Compliance in the Telecommuting Age

Since this is the Information Age, it should come as no surprise that more employees are working remotely, i.e., telecommuting. The flexibility to work from anywhere allows employees to work offsite, including from home, public transportation system, airport, coffee shop, etc. While such flexibility certainly has its advantages, it also has its disadvantages. One specific disadvantage for those in the health care industry is that the mishandling of personal health information (PHI) has put a spotlight on telecommuters by federal enforcement agencies. It is easy to see why there are so many issues with telecommuters mishandling PHI given that many telecommuters must be able to access patient information remotely to perform their duties. Companies have far more control of patient data if the data is maintained in a centralized mainframe environment, as opposed to a distributed basis. As such, health care organizations must consider whether telecommuters are downloading patient information from the employer’s network, whether employees are storing PHI on a personal computer or device, and what measures those employees are taking to properly protect that information. The Health Insurance Portability and Accountability Act (HIPAA) includes measures for both the security and privacy of patient information. Covered entities are required to self-report data breaches to the Office for Civil Rights (OCR), and OCR is required to investigate all data breaches that expose the PHI of more than 500 patients....

Read More

Newsletter Subscription


The Health Law Blog is published by Dickinson Wright PLLC to inform the public of important developments within the firm and practice areas. The content is informational only and does not constitute legal or professional advice. We encourage you to consult a Dickinson Wright attorney if you have specific questions or concerns relating to any of the topics covered in this blog.