On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its anxiously-awaited judgment in the Schrems II case. The CJEU’s decision upheld the Standard Contractual Clauses (SCCs) but, somewhat surprisingly,...more
7/21/2020
/ Court of Justice of the European Union (CJEU) ,
Data Collection ,
Data Protection ,
EU ,
EU-US Privacy Shield ,
Executive Orders ,
Federal Trade Commission (FTC) ,
FISA ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Safe Harbors ,
Standard Contractual Clauses
On July 15, 2020, a final rule revising the federal regulations governing the Confidentiality of Substance Use Disorder Patient Records (also known as 42 C.F.R. Part 2 or Part 2) was published. The revised rule will implement...more
While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice. What’s more, as data breaches continue to...more
The Federal Communications Commission (FCC) has issued a Declaratory Ruling providing guidance (Guidance) on the implementation of the Telephone Consumer Protection Act of 1991 (TCPA) as COVID-19 continues to necessitate...more
4/9/2020
/ Advertising ,
Auto-Dialed Calls ,
California Consumer Privacy Act (CCPA) ,
Debt Collection ,
FCC ,
Healthcare Facilities ,
Hospitals ,
Privacy Laws ,
Robocalling ,
State of Emergency ,
TCPA ,
Telecommunications ,
Telemarketing
The Department of Health and Human Services (HHS) announced on April 2 that HHS is exercising its enforcement discretion to permit business associates to use and disclose protected health information (PHI) for public health...more
4/6/2020
/ Business Associates Agreement (BAA) ,
Coronavirus/COVID-19 ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Medical Records ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
Personally Identifiable Information ,
PHI ,
Risk Management
The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) passed by the Senate on March 25, 2020 would make fundamental changes to the federal law, 42 U.S.C. § 290dd-2, implemented at 42 C.F.R. Part 2 that governs...more
The coronavirus (provisionally named SARS-CoV-2, with its disease being named COVID-19) has now been documented in more than 100 countries and territories. Over 120,000 cases have now been documented across the globe,...more
On December 12, 2019, the Office for Civil Rights (OCR) announced its second enforcement action this year related to an individual’s right to access his/her protected health information (PHI). Korunda Medical, LLC (Korunda)...more
Beginning with the California Online Privacy Protection Act (CalOPPA) in 2004, California has led the U.S. in adopting laws to protect the privacy of its residents. California continued this trend by enacting the California...more
One health system recently learned the cost of relying too heavily on the HIPAA Breach Notification Rule’s “low probability of compromise” standard when it failed to notify all affected individuals and report the HIPAA breach...more
12/5/2019
/ Breach Notification Rule ,
Business Associates ,
Covered Entities ,
Data Breach ,
Electronic Medical Records ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
PHI ,
Reporting Requirements ,
Security Risk Assessments ,
Settlement Agreements
Recently proposed changes to the federal regulations governing the confidentiality of substance-use disorder patient records (Part 2) would all but eliminate the most significant and intractable barrier to sharing protected...more
While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice. What’s more, as data breaches continue to...more
On June 26, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued two new FAQs that clarify:
The parameters around covered entities sharing protected health information (PHI) for a...more
The National Institute of Standards and Technology (NIST) has announced proposed changes to NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The...more
On May 24, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued a new fact sheet which lists the provisions of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA)...more
5/31/2019
/ Business Associates ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Electronic Medical Records ,
Enforcement ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Liability ,
OCR ,
Personally Identifiable Information ,
PHI
...On April 4, 2019, California Assembly Member Wicks proposed sweeping changes to bill AB 1760, effectively repealing the California Consumer Privacy Act of 2018 (CCPA) and replacing it with the Privacy for All Act of 2019...more
4/11/2019
/ California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Data Privacy ,
Disclosure Requirements ,
Opt-In ,
Personal Data ,
Private Right of Action ,
Proposed Amendments ,
Regulatory Oversight ,
Right to Be Forgotten ,
Third-Party Service Provider
The U.S. Department of Health and Human Services (HHS) recently proposed two new rules designed to increase patient and provider access to health records. As stated by HHS in its press release, the proposed rules “will...more
2/21/2019
/ Centers for Medicare & Medicaid Services (CMS) ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Exchanges ,
Health Insurance Portability and Accountability Act (HIPAA) ,
MIPS ,
ONC ,
Patient Privacy Rights ,
Proposed Rules ,
Public Comment
While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice. What’s more, as data breaches continue to...more
The U.S. Department of Health and Human Services (DHHS) recently released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). DHHS states that the purpose of the HICP is to:
1. Raise...more
While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice. What’s more, as data breaches continue to...more
So far 2017 is proving to be an active year for Health Insurance Portability and Accountability Act (HIPAA) enforcement. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total...more
With the news of the newest international ransomware campaign that is currently affecting some organizations within the Health Care sector, it is important to not only educate staff on necessary precautions, but also be aware...more
Businesses have been scrambling since Friday evening when news spread that a ransomware attack named WannaCry is compromising organizations at an alarming rate. In less than 48 hours, it has compromised more than 130,000...more
While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice. What’s more, as data breaches continue to...more
Following on the heels of an active 2015, where eight states enacted changes to their data breach notification laws, another five states amended their statutes in 2016, adding complexity to the current “patchwork” system of...more