Because the healthcare community relies upon encryption to safeguard e-Protected Health Information (ePHI), vulnerability to the underlying security of any encryption code is potentially devastating.

The Heartbleed computer bug is gaining substantial media coverage recently, and for good reason. Organizations, especially those in healthcare, should pay special attention to risks from the bug. Heartbleed is not a computer virus, but is actually a software defect. The defect went unnoticed for a long period of time, and was unfortunately adopted by many websites.

Discovered by Neel Mehta of Google Security, the Heartbleed bug is based on a fault in functionality in the widely used OpenSSL library. This library is used by security vendors’ products to secure web browsing and even mobile banking applications. For example, if you go to a site like Amazon, you may notice a little lock in the browser section of the bar with the letters “https”– that is a sign that the website uses, and is a part of, the OpenSSL library. When the Heartbleed bug is exploited, the attacker can retrieve memory, up to 64KB from the remote system.  Such information may contain usernames, passwords, keys or other useful information that enables bigger attacks.

On April 1, 2014, the Department of Labor’s Office of Federal Contract Compliance Programs agreed to the dismissal of its December 2008 complaint against Florida Hospital of Orlando. This action follows DOL’s March 11, 2014 agreement to a five-year moratorium on compliance and enforcement actions against Tricare service providers. These developments reflect a significant rollback of OFCCP’s prior position as to the scope of its jurisdiction. In his March 11, 2014 letter to Congress, Secretary of Labor Thomas Perez recognizes that Congress had intended to limit OFCCP’s jurisdictional authority over Tricare healthcare providers.

Are you wondering how much to pay your pediatric cardiologist?  Or perhaps whether the compensation another pediatric subspecialty is demanding is justifiable?  A recent article in the In-House Counselor, a publication of the American Health Lawyers Association, may provide guidance.

The article, which was written by Tom Schnack of Seim Johnson and was edited by

In an unprecedented move, on April 8, 2014, the Office of the Inspector General (“OIG”) posted a notice of termination of one of its previously issued advisory opinions.  Specifically, the OIG issued a Final Notice of Termination of Advisory Opinion No. 11-18 (“Notice of Termination”).  The OIG issued Advisory Opinion 11-18 on November 30, 2011 (“Advisory Opinion”).  Under the proposed arrangement, the Requestor, a publicly traded company that provides web-based business services to physician practices, would provide a new service to its existing customers, called “Coordination Service,” to facilitate the exchange of information between the ordering (or referring) healthcare practitioners and providers (“Ordering Health Professionals”) and  receiving healthcare practitioners and providers.   Ordering Health Professionals could refer patients to other healthcare professionals who were existing subscribers of Requestor’s services (“Trade Partners”) or to healthcare professionals not currently receiving Requestor’s services (“Non-Trading Partner”).

This article was originally published by the American Health Lawyers Association. Copyright 2014, American Health Lawyers Association, Washington, DC.  Reprint permission granted.

Recently, the Obama Administration released its fiscal year 2015 budget proposal, which includes several proposals of special interest to children’s hospitals. The Budget proposes several new and strategic investments in the nation’s health care

If you are forming a new venture or starting a new research project, consider these important IP issues before taking the plunge…

1)  Evaluate the “Patent Landscape” before you invest significant resources. A patent attorney can help you with a “Freedom to Operate” opinion. This FTO opinion will contain a “prior art” search, which provides information regarding comparable patents, their inventors/assignees, whether the patents are in good standing, and the remaining patent term. This information will give you a greater understanding of the patentability of your new idea, will help you avoid infringing someone else’s patents, and will help you identify potential licensing issues. The FTO opinion can also help to avoid “willful” infringement should you later be sued.

Read the press about Judge James Gwin’s decision in United States ex rel. Barko v. Halliburton Co., No. 1:05-cv-1276 (D.D.C. Mar. 6, 2014), and you might see it as the beginning of the end for the attorney-client privilege in internal investigations. While the ultimate implications of the decision remain to be seen, that’s not how we see it.

The attorney-client privilege and the work product doctrine are alive and well, as is their application to internal investigations. The FAR clause implementing the requirement for a Code of Business Ethics and Conduct preserves the contractor’s right to conduct an internal investigation subject to the protections of the attorney-client privilege and the work product doctrine. See FAR 52.203-13 (Dec. 2008). The Justice Department’s Principles of Federal Prosecution of Business Organizations explicitly states that a company is not required to waive privilege in order to get credit for cooperating with a government investigation. “[W]aiving the attorney-client and work product protections has never been a prerequisite under the Department’s prosecution guidelines for a corporation to be viewed as cooperative.”

The Senate Committee on Commerce, Science, and Transportation today released its analysis of the 2013 Target Data Breach, using the “intrusion kill chain” framework from Lockheed Martin as its analytical tool.  In short, the analysis shows that although Target likely failed at multiple steps along the chain to stop the breach, the opening salvo by the attackers was waged on a Target vendor, Fazio Mechanical Services.

Although details are not reported, the report does suggest that the attacker may “have sent malware-laden emails to Fazio at least two months before the Target data breach began.”  Target’s supplier portal and facilities management pages were apparently viewable on the Internet, and files from the sites “allowed the attacker to map Target’s internal network prior to the breach.”  Unfortunately, Fazio was also using a free version of an anti-malware product, which did not provide real-time protection and was intended only for individual consumer use.

The line between “white collar crime” and “street crime” is often blurred as prosecutors and investigators deploy all of the tools at their disposal against white collar and regulatory offenses. Principal among these tools is the search warrant. While the execution of a lawfully obtained search warrant cannot be stopped, a company’s reaction to the search and to the agents conducting it can have a significant impact on the course of a government investigation. A well-executed response may yield intelligence about the nature and scope of the investigation and may limit the amount of information the government obtains.

In this post, we present an overview of the search warrant process and offer some basic guidelines that may be used in preparing for and responding to a search warrant.

On March 6, 2014, the District Court for the District of Columbia issued an opinion in United States ex rel. Barko v. Halliburton Company et al. requiring Kellogg, Brown & Root Engineering Corporation (“KBR”) to produce documents originally withheld on the basis of attorney-client privilege and the work product doctrine. The Court found that the documents, which related to internal investigations of possible violations of KBR’s code of conduct, were ordinary business records created to satisfy regulatory requirements and were not created for purposes of obtaining or receiving legal advice. The Court’s decision was based on the fact that KBR’s internal investigation was required under the Federal Acquisition Regulation and internal KBR policy, and that the investigation was conducted by non-lawyers. The Court’s holding raises significant questions about existing corporate compliance and investigation programs in regulated industries, including healthcare.

In Barko, the plaintiff brought a qui tam complaint alleging that KBR employees subcontracted to certain third parties who inflated invoices for substandard work, resulting in overcharges to the government. Barko sought, in the course of discovery, documentation from the internal review performed by KBR’s Office of Business Conduct into these allegations. After an in camera review of the documents at issue, the Court determined that the documents were not protected.