Cologix Expands Partnership with Montreal Internet Exchange – InvestorsObserver
Cologix Expands Partnership with Montreal Internet Exchange InvestorsObserver
BenefitMall Senior Compliance Analyst and Sales Representative Honored at NAPIB Conference – Yahoo Finance
Marion County Health and Human Services Goes Live with DrCloudEHR, Transforming Community Well-Being – EIN News
Marion County Health and Human Services Goes Live with DrCloudEHR, Transforming Community Well-Being – EIN News
MOVEit Attack Highlights Security Principles For Healthcare CIOs – Forbes
Nevada Consumer Health Data Bill Signed into Law – HIPAA Journal
Nevada Consumer Health Data Bill Signed into Law HIPAA Journal
Nevada Consumer Health Data Bill Signed into Law
The governor of Nevada recently signed a new consumer health data privacy bill into law that strengthens consumer health data privacy and gives Nevada residents new rights over their health data. Senate Bill (SB) 370 was modeled on Washington’s recently enacted “My Health, My Data (MHMD) bill, although is less comprehensive in scope. The new law applies to entities that conduct business in Nevada or produce or provide products or services that are targeted at consumers in Nevada and, either alone or with others, determine the purpose and means of processing, sharing, or selling consumer health data. Exceptions include law enforcement agencies and their contractors, and entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (BLBA).
The new law applies to consumer health data, which is defined as personally identifiable information that is linked to or reasonably capable of being linked to a consumer that a regulated entity uses to identify the past, present, or future health status of a consumer, but excludes information for certain research purposes, public health purposes, FERPA-covered data, and health data collected and shared as authorized by other state or federal laws, and certain other purposes.
Consumer health data includes information about any health condition or status, disease, or diagnosis; social psychological, behavioral, or medical intervention; surgeries or health-related procedures; use or acquisition of medication; bodily functions, vital signs, or symptoms; reproductive or sexual health care; gender-affirming care; biometric/genetic data; precise geolocation information and health information derived or inferred from non-health data.
The new law gives consumers new rights over their health information, including the right to confirm if a covered business is collecting, sharing, or selling their health data, obtain a list of all third parties that their health data has been sold to or shared with, the right to stop a business from processing, sharing, or selling their health data, and the right to have their health data deleted. In the case of the latter, covered businesses have to delete data and notify affiliates, processors, and contractors of the deletion request within 30 days. Responses to consumer requests are required without undue delay and no later than 45 days after the request is authenticated.
Covered businesses must obtain affirmative, voluntary consent for the collection and sharing of consumer health data and obtain written, signed authorization before the sale of consumer health data is permitted. Covered businesses are required to maintain a consumer health data privacy policy, restrict access to consumer health data to employees and processors that need access to the data, maintain reasonable security practices, and establish a consumer appeals process. A privacy policy must be clearly posted on a covered business’s main Internet site that clearly explains how consumer health data is collected and used, the categories of entities with whom the information will be shared, and clearly explain consumer rights, such as the process for reviewing, requesting changes, and deleting consumer health data. Covered businesses are prohibited from geofencing healthcare facilities (within 1,750 ft) for the purpose of identifying/tracking consumers receiving or seeking healthcare, collecting health data from consumers, or sending health data or healthcare-related notifications, messages, or advertisements to consumers.
The new law takes effect on March 31, 2024, after which date the state Attorney General can impose financial penalties for noncompliance; however, there is no private cause of action, so consumers are unable to take legal action against entities that have violated their privacy through noncompliance with the law.
The post Nevada Consumer Health Data Bill Signed into Law appeared first on HIPAA Journal.
Good Samaritan Hospital Settles Class Action Data Breach Lawsuit – HIPAA Journal
Good Samaritan Hospital Settles Class Action Data Breach Lawsuit
Good Samaritan Hospital in San Jose, CA, has agreed to settle a class action lawsuit that was filed in response to a data breach that exposed the protected health information of up to 233,835 individuals. According to the hospital, unauthorized individuals gained access to an employee email account between October 28 and November 8, 2019, which contained sensitive patient data such as names, birth dates, Social Security numbers, driver’s license numbers, passport numbers, tax identification numbers, financial account numbers, treatment/diagnosis information, health insurance information, billing information, doctors’ names, medical record numbers, medical histories, prescription information, Medicare/Medicaid IDs and patient account numbers.
A lawsuit – Young, et al. v. Good Samaritan Hospital – was filed in the California Superior Court for Los Angeles County against the hospital on behalf of individuals impacted by the data breach. The lawsuit claims the hospital acted unlawfully by failing to prevent the data breach and alleged negligence, violations of the California Confidentiality of Medical Information Act (CMIA), and unlawful/unfair business practices, in violation of California Business and Professions Code.
Good Samaritan Hospital denied all of the allegations, maintains there was no wrongdoing, and claims it was fully compliant with all federal and state laws; however, the decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial. The proposed settlement has been agreed upon by all parties but has yet to receive final approval from a judge. The final approval hearing has been scheduled for Sept. 5, 2023.
The total settlement fund has not been disclosed; however, all class members are entitled to claim up to $1,500 as reimbursement for ordinary expenses, which are documented expenses that were incurred as a result of the data breach. Ordinary expenses include credit monitoring costs, phone calls, interest on loans, communication charges, card re-issuance fees, and unreimbursed bank fees. Individuals that have suffered identity theft, medical fraud, tax fraud, other forms of fraud, and other actual misuses of their personal information, can submit claims for documented, unreimbursed extraordinary losses that are reasonably traceable to the data breach of up to a maximum of $5,000.
The deadline for exclusion from and objection to the settlement is July 18, 2023, and all claims must be submitted by July 18, 2023. The class members were represented by Joshua B Swigart of Swigart Law Group AFC and Gayle M Blatt of Casey Gerry Schenk Francavilla Blatt & Penfield LLP.
The post Good Samaritan Hospital Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.