Photo of Kathrin E. Kudner

Ms. Kudner's practice is devoted to the representation of health care providers, payors and biotechnology and life sciences companies in various corporate and regulatory matters. Ms. Kudner is a member of the Firm's Privacy and Data Security, Biotechnology and Life Sciences, Dental Service Organizations, and Insurance Teams.

Recent ransomware attacks illustrate the importance of compliance with the HIPAA required and addressable security standards. In its December 2, 2019 Fall 2019 Cybersecurity Newsletter, the Office of Civil Rights (OCR) discussed ransomware attacks and ways to recognize, prevent, mitigate and recover from an attack.

HIPAA requires both covered entities and business associates to conduct a risk analysis of the potential risks and vulnerabilities to the security of electronic Protected Health Information (ePHI) and to implement a corrective action plan to eliminate or reduce those risks and vulnerabilities. According to the OCR, these risk analyses are critical to preventing ransomware attacks because ransomware takes advantage of technical vulnerabilities. HIPAA also requires an effective procedure for information system activity review. This enables the covered entity or business associate to identify unusual activity and quickly identify an attack. The information system review should include procedures, such as audit logs, incident and breach tracking reports, and reports on system access. 
Continue Reading

On August 22, 2019, the Substance Abuse and Mental Health Services Administration of the United States Department of Health and Human Services (“SAMHSA”) issued a proposed rule amending the Confidentiality of Substance Use Disorder Patient Records regulations set forth at 24 CFR Part 2.  These regulations were initially implemented to provide heightened protection of patient records covering the treatment of substance use disorder (“SUD”) provided by certain federally funded programs (“Part 2 programs”).

The proposed regulations do not modify the general requirements for the confidentiality of SUD patient records created by Part 2 programs.  Part 2 continues to prohibit the disclosure of SUD records without patient consent except as specifically permitted in situations such as in the case of a bona fide medical emergency, for purposes of scientific research, audit or program evaluation, or with an appropriate court order after showing good cause. 
Continue Reading