Protecting patient information is a central duty for both covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA). Should an entity subject to HIPAA fail to protect patient information, it may face possible enforcement action from the U.S. Department of Health and Human Services’ Office for … Continue Reading
On April 6, 2017, New Mexico joined 47 states, D.C., Guam, Puerto Rico, and the U.S. Virgin Islands when Governor Susana Martinez signed House Bill 15, codifying the Data Breach Notification Act. With New Mexico becoming the 48th state to enact a security breach notification statute, only Alabama and South Dakota have not codified requirements for repo… Continue Reading
On Monday, April 3, President Trump signed a bill repealing the privacy and security rules introduced in the FCC’s October 2016 Order. Under the terms of the Congressional Review Act (CRA), those rules have now been entirely repealed, the FCC is restricted from implementing “substantially similar” rules in the future, and the congressional act… Continue Reading
Following the HITECH Act, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued regulations requiring HIPAA covered entities to provide certain notifications for breaches of unsecured protected health information. OCR provides data on its website for breaches affecting 500 or more individuals.
To better understand t… Continue Reading
On Wednesday, the Chairman Pai-led FCC adopted an Order granting a stay of the data security rules that were adopted as part of the Commission’s 2016 Privacy Order spearheaded by former FCC Chairman Wheeler. The stay will maintain the data security rules that have been in place for several years, but suspend implementation of the expanded data security r… Continue Reading
On February 1, 2017, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Children’s Medical Center of Dallas (“Children’s”) has paid a civil monetary penalty (“CMP”) of $3.2 million to resolve multiple HIPAA violations over several years. This CMP announcement raises a number of question… Continue Reading
March 1, 2017 is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2016. A small breach involves fewer than 500 individuals.
HIPAA Notification Requirements. HIPAA re… Continue Reading
FTC Complaint Alleges IoT Vendor’s Security Promises Don’t Match Its Practices
The FTC’s first data security enforcement action in 2017 sends a clear signal to vendors serving the Internet of Things (“IoT”) marketplace: make sure your data security promises match your data security practices. IoT is in the spotlight following last year’s … Continue Reading
A stolen unencrypted USB drive led to a $2.2 million settlement and a Resolution Agreement. The Department of Health and Human Services Office for Civil Rights (OCR) announced on January 18th a settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) after an unencrypted USB data storage device containing records of approximately 2,… Continue Reading
On Jan. 9, 2017, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced the first HIPAA enforcement action for failure to timely report a breach. Often investigating and making formal determinations concerning a potential breach can be very time consuming, even when responding promptly and appropriately to the eve… Continue Reading
To start off the New Year, here are some potential health information privacy and security resolutions. You can use these Annual, Quarterly, and Monthly lists to map out your privacy and security tasks for the year, and then check them off as you complete them. We have included empty rows for you to add your own resolutions.
As with any New Year’s resolution… Continue Reading
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, but there’s a more to it than that.
Immerse yourself in an introduction to one of the most talked about and relevant laws today. Every American under the Affordable Care Act should be aware of HIPAA. Individuals or companies that create, receive, maintain, or transmit heal… Continue Reading
Given all of the unknown variables that occur in a business, it’s important to see the potential threats right in front of you. Now’s the time to take inventory of risks that may face your business.
A risk assessment is a standardized method of evaluating the potential risks that face your business. You need determine the scope of your assessment, invent… Continue Reading
If your company’s data suddenly becomes lost or stolen, or is accessed without authorization, can you handle what comes next? Every day, entities of all shapes and sizes experience some form of a security breach. Some are the result of system hacking, theft, or malware, but some are simply the result of an employee’s mistakes, and therefore are prevent… Continue Reading
Cyber-attacks are constantly growing more challenging and dangerous. It is a top priority for businesses to protect their networks, computers, and information from unauthorized access. Should a data breach occur, cyber criminals, industry competitors, and even foreign governments put your employees and business and customer relationships at risk… Continue Reading
The FTC Issues Guidance on How to Batten Down the Hatches
Tomorrow, October 27, the Federal Communications Commission (FCC) is scheduled to vote on new privacy rules for internet service providers (ISP) that will have a lasting impact on U.S. privacy regulation. In this special Series, DWT starts with some background on what led us to this point and what we expect from the new rules. Once adopted, the Series wil… Continue Reading
Financial organizations that are business associates can expect a wave of HIPAA desk audits to evaluate the HIPAA compliance efforts of business associates. These audits have a limited focus and are conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). For business associates, desk audits will target breac… Continue Reading
On October 6, Federal Communications Commission Chairman Tom Wheeler published a fact sheet and blog post outlining his proposal to create privacy rules for internet service providers (ISPs), setting the final rules up for a vote at the FCC’s October 27 open meeting. The fact sheet demonstrates that the Federal Trade Commission and other government pr… Continue Reading
In a decision that could significantly impact the scope of the Federal Trade Commission’s consumer protection authority under Section 5 of the FTC Act, the U.S. Court of Appeals for the Ninth Circuit ruled on August 29, 2016, that common carriers are entirely exempt from the FTC’s jurisdiction, even when engaged in “non-common carrier” activiti… Continue Reading
Beginning August 1, U.S.-based companies that self-certify their compliance with the EU-U.S. Privacy Shield will be able to import data under the new data transfer framework. But how can your company best prepare?
Personal data transfers from the European Union are about to get easier for U.S. companies.
The push for the European Union and the United States to reopen negotiations over the EU-U.S. Privacy Shield may have just become a shove, due to a recent opinion released by the European Data Protection Supervisor (EDPS) assessing the data protections offered and recommending a series of substantial changes to the new data transfer framework.
On May 30, t… Continue Reading