Health Net Agrees to $250,000 Fine and "Corrective Action Plan" to Settle Loss of PHI
It didn't take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement. Indeed, Heath Net of the North East, Inc. and its various related affiliates (collectively, “Health Net”) consented to a Stipulated Judgment (Civ. No. 3:2010CV-00057(PCD)), available here, with the Connecticut Attorney General's Office and the State of Connecticut (the “Judgment”), which stands as the first example of a state Attorney General independently enforcing HIPAA violations since the HITECH Act authorized state attorneys general to do so.
Continue Reading...FAQ on the Proposed Modifications to the HIPAA Rules: Part Two
This post is Part Two of my FAQ on the proposed modifications to the HIPAA Rules issued by HHS last week. Part One can be found here. Part Two focuses on the proposed modifications to the Privacy Rule.
Continue Reading...FAQ on the Proposed Modifications to the HIPAA Rules: Part One
As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated Notice of Proposed Rulemaking ("NPRM") on Modifications to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (the "HITECH" Act). For those of us who subscribe to numerous technology and law listservs, this meant emailboxes flooded with opinions, criticism, speculation, and flat-out fear mongering. We thought people might like to know what the proposed modifications actually say, and what they mean. So, this post provides Part One of a FAQ on the 234 page NPRM. This post, Part One, addresses general issues (including significant changes involving subcontractors) and proposed modifications to the HIPAA Security and Enforcement Rules. Part Two, later this week, will address the proposed modifications to the HIPAA Privacy Rule.
Continue Reading...My Notes from the IAPP Global Privacy Summit 2010
As some of you know, I tweeted my notes from the IAPP Global Privacy Summit 2010 yesterday and today (@Forsheit for those of you on Twitter). Since many of our readers are not on Twitter, I thought I would provide you with those notes here (minus the usual Twitter hashtags and abbreviations). Please note that there were multiple sessions, and this reflects only those I was able to attend, and only the information I could quickly record, putting virtual pen to paper. These are not direct quotes, unless specifically designated as such. Overall, I think it was a great conference, a wonderful opportunity to reconnect with other lawyers and privacy professionals, and to meet students, lawyers, and others looking to learn more about this constantly evolving legal and compliance space. For me, the conference highlight was Viktor Mayer-Schonberger's keynote this morning on The Virtue of Forgetting in the Digital Age. Without further ado, here are my notes. Would love to hear your thoughts/reactions.
Continue Reading...Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days:
- How can we harmonize the EU Data Protection Directive and EU member country privacy laws with the flow of data in today's global economy? It is unfortunate that a number of IAPP participants from the EU will not make it to DC for the Summit this year due to the Icelandic volcano. Nonetheless, I expect active dialogue regarding cross-border data transfers, safe harbor v. standard contractual clauses v. binding corporate rules, and, in particular, the impact of the growth of cloud computing and other outsourcing arrangements (or, at least, the growth of the hype around cloud computing). It would also be nice to hear more about the EU Cookie Consent law - there is a panel scheduled to take place, but unknown if that will happen in light of the volcano debacle.
- HIPAA/HITECH and Medical Identity Theft: Health care privacy topics are hotter than ever, especially with the growing number of reported security breaches affecting more than 500 individuals under the new HHS breach notification rules promulgated pursuant to the HITECH Act.
- "Reasonable Security": What does Massachusetts think? What does the FTC think? What in the world is it and how in the world can organizations comply?
- On a related note, FTC Enforcement, with a focus on behavioral marketing issues and evolving notions of notice and consent. What trends will we see over the next several years, particularly with the growth of social media and online behavioral advertising?
- Social media: how it affects the workplace, corporate policies and procedures, and "reasonable expectations" of privacy.
- The forecast for federal legislation - not just on breach notification, but security requirements, online behavioral marketing and, getting lots of media attention these days, potential revisions to ECPA (being driven, once again, by the cloud computing explosion).
- Breaches, breaches, and more breaches. Of course.
A few things that appear to be missing from this year's agenda - the FTC's current review of the rules under the Children's Online Privacy Protection Act (COPPA), enforcement of the Red Flags Rule (the FTC will start enforcing the Rule June 1), and the growing number of state laws (Washington, Nevada, Minnesota) requiring compliance with the PCI Standard.
Stay tuned, I will endeavor to post developments on a daily basis.
Security Breach Notices for Canadian Data
There’s some Canadian data on that lost laptop or hacked server. Do you have to notify individuals or authorities in Canada, as you are often required to do in the United States?
The US model of security breach notice laws has not been widely emulated abroad, although several jurisdictions are considering similar measures. Nevertheless, a duty to give notice of significant security breaches has been inferred in some cases from general principles found in comprehensive privacy and data protection laws in Europe, Canada, Japan, and elsewhere. Privacy commissioners in Canada have applied such general principles in publishing guidelines for companies suffering a data leak involving personal information. In addition, the province of Ontario expressly requires notice to individuals if their personal health information is compromised.
More recently, Special Commissions at the federal level and in the provinces of Alberta and British Columbia have recommended amending privacy legislation to mandate notification of material security breaches. Alberta is the first to act on this recommendation. Bill 54, amending Alberta’s Personal Information Privacy Act, will soon require organizations to notify potentially harmful security breaches to the Alberta Privacy Commissioner – who may then dictate the terms of notice to affected individuals.
The New Health Care Breach Notification Landscape -- HHS Rules
On February 17, 2009, Congress signed into law the Health Information Technology for Economic and Clinical Health or “HITECH” Act (“HITECH” or the “Act”) as part of the American Recovery and Reinvestment Act. The HITECH Act requires entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to provide notification to affected individuals and to the Secretary of Health and Human Services (“HHS”) following the discovery of a breach of unsecured protected health information. HITECH also requires business associates of HIPAA-covered entities to notify the covered entity in the event of the breach. The Act required HHS to issue interim final regulations with respect to the new breach notification requirements. On August 24, 2009, the HHS interim final regulations were published in the Federal Register. This post addresses some of the requirements of the HHS rules -- it does not address the FTC's rules for personal health records.
Continue Reading...
