Photo of Pete Enko

Healthcare clients depend on Pete for his valued advice in health law, information management, privacy and security matters. He frequently counsels clients on contracting, research compliance, fraud and abuse, managed-care, medical staffing, Medicare/Medicaid, patient care, operational and transactional issues.

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.Continue Reading The Year to Come in U.S. Privacy & Cybersecurity Law (2021)

Recently, I had the pleasure of being interviewed by Julia Kerrigan, an articulate and insightful young journalist writing for her high school paper, The Dart. In my mind (that’s foreshadowing the challenges caused by my ego-centricity dear reader), the point of the conversation was for me to provide Julia with a primer on information privacy and security issues so that she could weave into her article a few observations from a so-called expert.
Continue Reading Cybersecurity Through a Generation Z Lens: The Privacy and Security Issues that Keep Teens up at Night

Having escaped the bleak midwinter of the Midwest for a few brief days, I find myself sitting poolside in sunny Orlando experiencing a few tantalizing hours of near summer temps. As I watch the inflatables being splashed about gleefully by children (mine included) impervious to the water’s lingering chill, my thoughts naturally turn to privacy and security (which is not a euphemism for my ill-fitting swimsuit by the way).
Continue Reading Husch Blackwell’s Pete Enko asks, “Will State Laws Move the Privacy Ball in 2019?”

It’s time for year-behind-us reminisces and year-before-us prognostications and, for those of us with nothing better to do during the last few days of 2017 and first few days of 2018, attention turns to HIPAA enforcement. So what happened and what can we look forward to? If past is prologue, expect the sound of silence as there was nominal Office for Civil Rights (OCR) activity in 2017 and, with the one noisy exception, no actions to cause your ears to burn.
Continue Reading HIPAA New Year!

HIPAA and the IRS. There isn’t a whole lot of guidance out there about what to do when the IRS knocks on your organization’s door and asks for protected health information. Should the agency be treated as a cop or robber?

The most risk-averse approach for a HIPAA-covered entity or business associate to take is to treat the IRS as a potential thief and draw the deadbolt when it comes to data requests involving PHI. Such a tack would, among other things, comply fully with HIPAA’s minimum necessary requirement and, frankly, reinforce the Everyman attitude toward the agency. Moreover, PHI produced in response to an information document request (IRD) is unlikely to be treated under 45 CFR 164.512 as a disclosure required by law, a disclosure for an administrative proceeding, or a disclosure for a law enforcement purpose, because the IRS appears to lack the authority to compel compliance with an IRD. However, we should be careful that we don’t always and automatically view the IRS with HIPAA suspicion –  in some circumstances the IRS does perform a legitimate healthcare oversight function for which it may receive PHI without individual authorization, consistent with HIPAA’s treatment/ payment/ operations exception.
Continue Reading Cops or Robbers: PHI, the IRS and IRDs

Having no need to brandish bandanas to obscure identity or firearms to force entry, cyber bandits, in a sophisticated and well-orchestrated robbery, waltzed into the IT vaults of Anthem, the second-largest U.S. health insurer, and walked off with personally identifiable information on about 80 million current and former members, a population that comprises Anthem customers,