Archives: Data Protection

Subscribe to Data Protection RSS Feed

HIPAA Enforcement Actions by the Numbers


Protecting patient information is a central duty for both covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA).  Should an entity subject to HIPAA fail to protect patient information, it may face possible enforcement action from the U.S. Department of Health and Human Services’ Office for … Continue Reading

And Then There Were 48 (States): New Mexico Enacts a Security Breach Notification Statute

State of New Mexico Flag which is yellow and red shaped

On April 6, 2017, New Mexico joined 47 states, D.C., Guam, Puerto Rico, and the U.S. Virgin Islands when Governor Susana Martinez signed House Bill 15, codifying the Data Breach Notification Act.  With New Mexico becoming the 48th state to enact a security breach notification statute, only Alabama and South Dakota have not codified requirements for repo… Continue Reading

It’s Official: Privacy and Security Rules from Wheeler Era Repealed

On Monday, April 3, President Trump signed a bill repealing the privacy and security rules introduced in the FCC’s October 2016 Order.  Under the terms of the Congressional Review Act (CRA), those rules have now been entirely repealed, the FCC is restricted from implementing “substantially similar” rules in the future, and the congressional act… Continue Reading

New FCC Stays ISP Data Security Rules from Wheeler Era

Secured data transfer

On Wednesday, the Chairman Pai-led FCC adopted an Order granting a stay of the data security rules that were adopted as part of the Commission’s 2016 Privacy Order spearheaded by former FCC Chairman Wheeler. The stay will maintain the data security rules that have been in place for several years, but suspend implementation of the expanded data security r… Continue Reading

New FCC Chairman Moves to Roll Back Privacy Rules for Internet Service Providers

Data protection, internet security flat illustration concepts

Ever since the presidential election and the replacement of former Obama administration FCC Chairman Tom Wheeler with former Republican commissioner and now Chairman Ajit Pai, communications industry and privacy policy observers of all stripes have expected the new FCC to roll back much or all of the agency’s pre-election (October 2016) privacy Ord… Continue Reading

To Settle or Not to Settle – That Is the Question Raised by Recent HIPAA CMPs

Patient Medical Record Icon. Flat Design.

On February 1, 2017, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Children’s Medical Center of Dallas (“Children’s”) has paid a civil monetary penalty (“CMP”) of $3.2 million to resolve multiple HIPAA violations over several years. This CMP announcement raises a number of question… Continue Reading

HIPAA Small Breach Notifications Due March 1: “In Like a Lion, Out Like a Lamb” if You Submit Timely”


March 1, 2017 is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2016. A small breach involves fewer than 500 individuals.

HIPAA Notification Requirements. HIPAA re… Continue Reading

IoT Vendors Beware: FTC’s Latest Enforcement Action Signals Further Scrutiny of the Industry

FTC Complaint Alleges IoT Vendor’s Security Promises Don’t Match Its Practices

The FTC’s first data security enforcement action in 2017 sends a clear signal to vendors serving the Internet of Things (“IoT”) marketplace: make sure your data security promises match your data security practices.  IoT is in the spotlight following last year’s … Continue Reading

The Price of PHI – A $2.2 Million USB Drive

USB flash drive icon with long shadow.

A stolen unencrypted USB drive led to a $2.2 million settlement and a Resolution Agreement. The Department of Health and Human Services Office for Civil Rights (OCR) announced on January 18th a settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) after an unencrypted USB data storage device containing records of approximately 2,… Continue Reading

Time Waits for No One: OCR Announces First HIPAA Settlement for Lack of Timely Breach Notification

health care

On Jan. 9, 2017, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced the first HIPAA enforcement action for failure to timely report a breach. Often investigating and making formal determinations concerning a potential breach can be very time consuming, even when responding promptly and appropriately to the eve… Continue Reading

2017 Health Information Privacy and Security New Year’s Resolutions

list on smartphone screen.

To start off the New Year, here are some potential health information privacy and security resolutions. You can use these Annual, Quarterly, and Monthly lists to map out your privacy and security tasks for the year, and then check them off as you complete them. We have included empty rows for you to add your own resolutions.

As with any New Year’s resolution… Continue Reading

HIPAA Starter Pack


HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, but there’s a more to it than that.

Immerse yourself in an introduction to one of the most talked about and relevant laws today. Every American under the Affordable Care Act should be aware of HIPAA. Individuals or companies that create, receive, maintain, or transmit heal… Continue Reading

How Secure is Your Company?

5 steps

Given all of the unknown variables that occur in a business, it’s important to see the potential threats right in front of you. Now’s the time to take inventory of risks that may face your business.

A risk assessment is a standardized method of evaluating the potential risks that face your business. You need determine the scope of your assessment, invent… Continue Reading

Are You Prepared For When Things Go Wrong?

data breach

If your company’s data suddenly becomes lost or stolen, or is accessed without authorization, can you handle what comes next? Every day, entities of all shapes and sizes experience some form of a security breach. Some are the result of system hacking, theft, or malware, but some are simply the result of an employee’s mistakes, and therefore are preventContinue Reading

Cyber Security Threats are Evolving. Are You?

video 1

Cyber-attacks are constantly growing more challenging and dangerous. It is a top priority for businesses to protect their networks, computers, and information from unauthorized access. Should a data breach occur, cyber criminals, industry competitors, and even foreign governments put your employees and business and customer relationships at riskContinue Reading

Feeling Lost in a Storm After Suffering a Data Breach?

The FTC Issues Guidance on How to Batten Down the Hatches


When faced with a data breach, it’s easy for companies to feel like they’re attempting to navigate a storm without a rudder.

To provide a guiding light to companies, the Federal Trade Commission (“FTC”) recently issued a guide for businesses, with an accompanying video and blog post, o… Continue Reading

FCC Broadband Privacy Part I: The FCC’s Ascension as a Privacy Regulator

Data protection, internet security flat illustration concepts

Tomorrow, October 27, the Federal Communications Commission (FCC) is scheduled to vote on new privacy rules for internet service providers (ISP) that will have a lasting impact on U.S. privacy regulation. In this special Series, DWT starts with some background on what led us to this point and what we expect from the new rules.  Once adopted, the Series wil… Continue Reading

Just Around the Corner – HIPAA Audits for Business Associates


Financial organizations that are business associates can expect a wave of HIPAA desk audits to evaluate the HIPAA compliance efforts of business associates.  These audits have a limited focus and are conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).  For business associates, desk audits will target breacContinue Reading

Brace for Impact: The FCC’s Broadband Privacy Rules Are Almost Here

Data protection, internet security flat illustration concepts

On October 6, Federal Communications Commission Chairman Tom Wheeler published a fact sheet and blog post outlining his proposal to create privacy rules for internet service providers (ISPs), setting the final rules up for a vote at the FCC’s October 27 open meeting. The fact sheet demonstrates that the Federal Trade Commission and other government pr… Continue Reading

Advisory Alert: 9th Cir. Rules Common Carriers Beyond FTC Authority

In a decision that could significantly impact the scope of the Federal Trade Commission’s consumer protection authority under Section 5 of the FTC Act, the U.S. Court of Appeals for the Ninth Circuit ruled on August 29, 2016, that common carriers are entirely exempt from the FTC’s jurisdiction, even when engaged in “non-common carrier” activiti… Continue Reading

Is Your Business Ready to Wield the Privacy Shield?

Beginning August 1, U.S.-based companies that self-certify their compliance with the EU-U.S. Privacy Shield will be able to import data under the new data transfer framework. But how can your company best prepare?

Companies in the United States may be excited that the EU-U.S. Privacy Shield – the new trans-Atlantic data transfer compact approved by th… Continue Reading

Breaking: EU Officially Approves Privacy Shield

U.S. companies will be able to import data from the EU under the streamlined data transfer regime starting August 1

Personal data transfers from the European Union are about to get easier for U.S. companies.

On July 12, 2016, the European Commission announced that it officially approved the EU-U.S. Privacy Shield, paving the way for the new trans-Atlantic … Continue Reading

EU Data Supervisor: Privacy Shield Needs “Robust Improvements”

The push for the European Union and the United States to reopen negotiations over the EU-U.S. Privacy Shield may have just become a shove, due to a recent opinion released by the European Data Protection Supervisor (EDPS) assessing the data protections offered and recommending a series of substantial changes to the new data transfer framework.

On May 30, t… Continue Reading