Archives: Data Protection

Subscribe to Data Protection RSS Feed

GDPR matchup: The Health Insurance Portability and Accountability Act


This article first published in the IAPP’s Privacy Tracker blog.

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your effo… Continue Reading

China’s Cybersecurity Regulators Issue Procedural Rules to Strengthen Enforcement Power


For the past several years, the Cyberspace Administration of China (the “CAC”) has risen to a very important status among the Chinese national government’s agencies. However, it lacks a specific procedural law to empower it with specific enforcement actions. Against this background, the CAC issued the Provisions on Administrative Law Enforcem… Continue Reading

Public Still Must Be Kept Private Under HIPAA

health care

A not-for-profit health care system recently agreed to pay the Department of Health and Human Services (HHS) $2.4 million as part of a settlement over potential Health Insurance Portability and Accountability Act (HIPAA) violations. The incident at issue involved the system releasing a patient’s name to the press, consumer advocacy groups, and poli… Continue Reading

A Draft Won’t Do: OCR Settles with CardioNet $2.5M for Failing to Finalize Policies and Procedures

On April 24, 2017, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias, has paid $2.5 million to settle alleged HIPAA violations. This is the first HIPAA settlement involving a remote … Continue Reading

Chinese Government Releases Overreaching Draft Regulations on Cross-Border Data Transfer

fintech icon  on abstract financial technology background .

Last month, the Cyberspace Administration of China released draft regulations on the cross-border transfer of data in China. The draft regulations are available for public comment until May 11.

The purpose of these regulations is to specify the restrictions on cross-border data transfer that were established by the recent passage of China’s Cyb… Continue Reading

HIPAA Enforcement Actions by the Numbers


Protecting patient information is a central duty for both covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA).  Should an entity subject to HIPAA fail to protect patient information, it may face possible enforcement action from the U.S. Department of Health and Human Services’ Office for … Continue Reading

And Then There Were 48 (States): New Mexico Enacts a Security Breach Notification Statute

State of New Mexico Flag which is yellow and red shaped

On April 6, 2017, New Mexico joined 47 states, D.C., Guam, Puerto Rico, and the U.S. Virgin Islands when Governor Susana Martinez signed House Bill 15, codifying the Data Breach Notification Act.  With New Mexico becoming the 48th state to enact a security breach notification statute, only Alabama and South Dakota have not codified requirements for repo… Continue Reading

It’s Official: Privacy and Security Rules from Wheeler Era Repealed

On Monday, April 3, President Trump signed a bill repealing the privacy and security rules introduced in the FCC’s October 2016 Order.  Under the terms of the Congressional Review Act (CRA), those rules have now been entirely repealed, the FCC is restricted from implementing “substantially similar” rules in the future, and the congressional act… Continue Reading

New FCC Stays ISP Data Security Rules from Wheeler Era

Secured data transfer

On Wednesday, the Chairman Pai-led FCC adopted an Order granting a stay of the data security rules that were adopted as part of the Commission’s 2016 Privacy Order spearheaded by former FCC Chairman Wheeler. The stay will maintain the data security rules that have been in place for several years, but suspend implementation of the expanded data security r… Continue Reading

New FCC Chairman Moves to Roll Back Privacy Rules for Internet Service Providers

Data protection, internet security flat illustration concepts

Ever since the presidential election and the replacement of former Obama administration FCC Chairman Tom Wheeler with former Republican commissioner and now Chairman Ajit Pai, communications industry and privacy policy observers of all stripes have expected the new FCC to roll back much or all of the agency’s pre-election (October 2016) privacy Ord… Continue Reading

To Settle or Not to Settle – That Is the Question Raised by Recent HIPAA CMPs

Patient Medical Record Icon. Flat Design.

On February 1, 2017, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Children’s Medical Center of Dallas (“Children’s”) has paid a civil monetary penalty (“CMP”) of $3.2 million to resolve multiple HIPAA violations over several years. This CMP announcement raises a number of question… Continue Reading

HIPAA Small Breach Notifications Due March 1: “In Like a Lion, Out Like a Lamb” if You Submit Timely”


March 1, 2017 is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2016. A small breach involves fewer than 500 individuals.

HIPAA Notification Requirements. HIPAA re… Continue Reading

IoT Vendors Beware: FTC’s Latest Enforcement Action Signals Further Scrutiny of the Industry

FTC Complaint Alleges IoT Vendor’s Security Promises Don’t Match Its Practices

The FTC’s first data security enforcement action in 2017 sends a clear signal to vendors serving the Internet of Things (“IoT”) marketplace: make sure your data security promises match your data security practices.  IoT is in the spotlight following last year’s … Continue Reading

The Price of PHI – A $2.2 Million USB Drive

USB flash drive icon with long shadow.

A stolen unencrypted USB drive led to a $2.2 million settlement and a Resolution Agreement. The Department of Health and Human Services Office for Civil Rights (OCR) announced on January 18th a settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) after an unencrypted USB data storage device containing records of approximately 2,… Continue Reading

Time Waits for No One: OCR Announces First HIPAA Settlement for Lack of Timely Breach Notification

health care

On Jan. 9, 2017, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced the first HIPAA enforcement action for failure to timely report a breach. Often investigating and making formal determinations concerning a potential breach can be very time consuming, even when responding promptly and appropriately to the eve… Continue Reading

2017 Health Information Privacy and Security New Year’s Resolutions

list on smartphone screen.

To start off the New Year, here are some potential health information privacy and security resolutions. You can use these Annual, Quarterly, and Monthly lists to map out your privacy and security tasks for the year, and then check them off as you complete them. We have included empty rows for you to add your own resolutions.

As with any New Year’s resolution… Continue Reading

HIPAA Starter Pack


HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, but there’s a more to it than that.

Immerse yourself in an introduction to one of the most talked about and relevant laws today. Every American under the Affordable Care Act should be aware of HIPAA. Individuals or companies that create, receive, maintain, or transmit heal… Continue Reading

How Secure is Your Company?

5 steps

Given all of the unknown variables that occur in a business, it’s important to see the potential threats right in front of you. Now’s the time to take inventory of risks that may face your business.

A risk assessment is a standardized method of evaluating the potential risks that face your business. You need determine the scope of your assessment, invent… Continue Reading

Are You Prepared For When Things Go Wrong?

data breach

If your company’s data suddenly becomes lost or stolen, or is accessed without authorization, can you handle what comes next? Every day, entities of all shapes and sizes experience some form of a security breach. Some are the result of system hacking, theft, or malware, but some are simply the result of an employee’s mistakes, and therefore are preventContinue Reading

Cyber Security Threats are Evolving. Are You?

video 1

Cyber-attacks are constantly growing more challenging and dangerous. It is a top priority for businesses to protect their networks, computers, and information from unauthorized access. Should a data breach occur, cyber criminals, industry competitors, and even foreign governments put your employees and business and customer relationships at riskContinue Reading

Feeling Lost in a Storm After Suffering a Data Breach?

The FTC Issues Guidance on How to Batten Down the Hatches


When faced with a data breach, it’s easy for companies to feel like they’re attempting to navigate a storm without a rudder.

To provide a guiding light to companies, the Federal Trade Commission (“FTC”) recently issued a guide for businesses, with an accompanying video and blog post, o… Continue Reading