On February 1, 2017, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Children’s Medical Center of Dallas (“Children’s”) has paid a civil monetary penalty (“CMP”) of $3.2 million to resolve multiple HIPAA violations over several years. This CMP announcement raises a number of question… Continue Reading
March 1, 2017 is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2016. A small breach involves fewer than 500 individuals.
HIPAA Notification Requirements. HIPAA re… Continue Reading
FTC Complaint Alleges IoT Vendor’s Security Promises Don’t Match Its Practices
The FTC’s first data security enforcement action in 2017 sends a clear signal to vendors serving the Internet of Things (“IoT”) marketplace: make sure your data security promises match your data security practices. IoT is in the spotlight following last year’s … Continue Reading
A stolen unencrypted USB drive led to a $2.2 million settlement and a Resolution Agreement. The Department of Health and Human Services Office for Civil Rights (OCR) announced on January 18th a settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) after an unencrypted USB data storage device containing records of approximately 2,… Continue Reading
On Jan. 9, 2017, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced the first HIPAA enforcement action for failure to timely report a breach. Often investigating and making formal determinations concerning a potential breach can be very time consuming, even when responding promptly and appropriately to the eve… Continue Reading
To start off the New Year, here are some potential health information privacy and security resolutions. You can use these Annual, Quarterly, and Monthly lists to map out your privacy and security tasks for the year, and then check them off as you complete them. We have included empty rows for you to add your own resolutions.
As with any New Year’s resolution… Continue Reading
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, but there’s a more to it than that.
Immerse yourself in an introduction to one of the most talked about and relevant laws today. Every American under the Affordable Care Act should be aware of HIPAA. Individuals or companies that create, receive, maintain, or transmit heal… Continue Reading
Given all of the unknown variables that occur in a business, it’s important to see the potential threats right in front of you. Now’s the time to take inventory of risks that may face your business.
A risk assessment is a standardized method of evaluating the potential risks that face your business. You need determine the scope of your assessment, invent… Continue Reading
If your company’s data suddenly becomes lost or stolen, or is accessed without authorization, can you handle what comes next? Every day, entities of all shapes and sizes experience some form of a security breach. Some are the result of system hacking, theft, or malware, but some are simply the result of an employee’s mistakes, and therefore are prevent… Continue Reading
Cyber-attacks are constantly growing more challenging and dangerous. It is a top priority for businesses to protect their networks, computers, and information from unauthorized access. Should a data breach occur, cyber criminals, industry competitors, and even foreign governments put your employees and business and customer relationships at risk… Continue Reading
The FTC Issues Guidance on How to Batten Down the Hatches
Tomorrow, October 27, the Federal Communications Commission (FCC) is scheduled to vote on new privacy rules for internet service providers (ISP) that will have a lasting impact on U.S. privacy regulation. In this special Series, DWT starts with some background on what led us to this point and what we expect from the new rules. Once adopted, the Series wil… Continue Reading
Financial organizations that are business associates can expect a wave of HIPAA desk audits to evaluate the HIPAA compliance efforts of business associates. These audits have a limited focus and are conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). For business associates, desk audits will target breac… Continue Reading
On October 6, Federal Communications Commission Chairman Tom Wheeler published a fact sheet and blog post outlining his proposal to create privacy rules for internet service providers (ISPs), setting the final rules up for a vote at the FCC’s October 27 open meeting. The fact sheet demonstrates that the Federal Trade Commission and other government pr… Continue Reading
In a decision that could significantly impact the scope of the Federal Trade Commission’s consumer protection authority under Section 5 of the FTC Act, the U.S. Court of Appeals for the Ninth Circuit ruled on August 29, 2016, that common carriers are entirely exempt from the FTC’s jurisdiction, even when engaged in “non-common carrier” activiti… Continue Reading
Beginning August 1, U.S.-based companies that self-certify their compliance with the EU-U.S. Privacy Shield will be able to import data under the new data transfer framework. But how can your company best prepare?
Personal data transfers from the European Union are about to get easier for U.S. companies.
The push for the European Union and the United States to reopen negotiations over the EU-U.S. Privacy Shield may have just become a shove, due to a recent opinion released by the European Data Protection Supervisor (EDPS) assessing the data protections offered and recommending a series of substantial changes to the new data transfer framework.
On May 30, t… Continue Reading
On May 26, 2016, the European Parliament passed a resolution (2016/2727 (RSP)) calling on the European Commission (EC) to reopen negotiations with the United States to improve perceived “deficiencies” in the EU-U.S. Privacy Shield, the successor trans-Atlantic data transfer arrangement drafted by the U.S. and the EU after the Court of Justice of t… Continue Reading
Recent amendments to the State’s data breach statute give a hard deadline for a business to provide consumer notice, removes encryption safe harbor, exempts entities that are subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and will require a business to report employees’ misuse of consumer data when do… Continue Reading
In the first ruling rebuking the Federal Trade Commission’s cybersecurity enforcement efforts, the FTC’s head administrative law judge dismissed the FTC’s complaint against LabMD, Inc., on November 13, stating that fundamental fairness demanded dismissal, as the FTC had not presented any evidence of actual or likely substantial consumer inj… Continue Reading
Safeguarding patient information is at the core of responsibilities for health care entities under the Health Insurance Portability and Accountability Act (HIPAA). But safeguarding patient information isn’t just a regulatory requirement; every medical professional who takes the Hippocratic Oath (Modern Version) swears to respect patient priv… Continue Reading
On October 8, 2015, California Governor Jerry Brown signed A.B. 964 and S.B. 570 into law, a pair of bills that amended the Golden State’s data breach notification statute (Ca. Civ. Code § 1798.82). The amendments specifically define information that is “encrypted” so as to presumptively exclude it from notice and disclosure requirements, add ad… Continue Reading
With students around the country back in school, it’s time for educators and education-focused technology (“EdTech”) service providers to pick up … Continue Reading