Category Archives: Regulatory Fines & Settlements

Key HIPAA Settlement Agreements by HHS’s Office for Civil Rights in 2015 & 2016

The last time this blog presented an overview of key HIPAA settlement agreements at the Office for Civil Rights in the U.S. Department of Health and Human Services was a review of 2014.  The number of complaints that year had spiked up compared to 2013: around a 25% increase.  This post will examine key cases from 2015 and 2016.  While the number of complaints in 2015 was relatively steady with 2014, it appears, based on preliminary numbers, that 2016 was the busiest year ever for the Office. HHS has data through November 2016 currently posted on its website, but no …

[ CONTINUE READING ]

Legal Considerations for Website Privacy Policies

You finally created your website. Did you include eye-catching graphics? Check. Did you include an attention-grabbing banner slogan? Did you post all of your social media handles? Did you include a privacy policy for the website? Maybe… We get questions from clients about whether they are required to include a privacy policy and, if so, what should it say.  The answers may surprise you, but a privacy policy should definitely not be an afterthought for website owners.  It certainly isn’t a best practice to simply copy and paste the privacy policy of another’s company’s website.  The representations made in website …

[ CONTINUE READING ]

Policing Internet Privacy: FCC’s New Frontier

Unwilling to be left behind by the likes of Google and Facebook, Internet Service Providers are increasingly exploring how they may capitalize on the high-value targeted advertising market.  In November 2016, AT&T explained that targeted advertising is a major contributor behind its bid to buy Time Warner Inc. for $85 billion.  AT&T is not alone.  In 2015, Comcast acquired an ad-targeting firm, Visible World, in what has been widely viewed as an effort to gain stronger footing in the industry.  Another major mobile carrier recently came under fire following its acquisition of a name-brand ISP for sharing information about users …

[ CONTINUE READING ]

FCC Latest Federal Agency to Chime in on Data Security

In 2015, the Federal Communications Commission joined the chorus of federal agencies seeking to declare its power when it comes to data breaches. In April, the agency made its first foray into the field by way of a consent decree with a major communications provider. In July, the FCC inked another consent decree, this time with TerraCom, Inc., and YourTel America, Inc., based on alleged failures to protect personally identifiable information. Both of these actions resulted in stiff monetary penalties, the imposition of stringent compliance programs, and years of audits. And the FCC’s policing efforts in regard to consumer privacy …

[ CONTINUE READING ]

Cybersecurity Developments at the SEC

In September 2015, the Securities and Exchange Commission took two separate but significant actions related to cybersecurity in the securities industry. Because they occurred so close together, the actions had some people wondering whether they were linked, suggesting an imminent increase in enforcement actions by the agency. Both actions are important, not only to securities firms in particular, but to anyone interested in understanding the agency’s viewpoint when it comes to cybersecurity. But, when viewed in context, the SEC’s recent actions do not appear to signal any meaningful shift in agency behavior. Notwithstanding, they should serve as a reminder to …

[ CONTINUE READING ]

Cloud Sharing Apps Scrutinized for ePHI

In a relatively short time period, the direct costs of document storage have dropped precipitously, and cloud-based document storage has become ubiquitous. Clearly, this is a wave of the future. But a recent settlement agreement between the Office of Civil Rights and a Boston area hospital should make it plain that, when it comes to electronic protected health information, mobile devices and cloud-based storage apps carry significant risk. On July 8, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights and St. Elizabeth’s Medical Center entered into a settlement agreement following an investigation into a complaint …

[ CONTINUE READING ]

Should Feds Regulate Persistent Identifiers as Personal Information?

Recently, the Federal Trade Commission settled an action it had brought against Nomi Technologies, a provider of “in-store analytics” technology. The fact that the action was brought against Nomi to begin with, considering what Nomi does, and the 20-year consent decree that Nomi entered into with the FTC, has raised more than a few eyebrows. It has left many – including some of the FTC’s own Commissioners – wondering just what regulators are interested in when it comes to controlling information collection practices in the “information economy.” Nomi has developed and markets technology to retailers that helps to physically track …

[ CONTINUE READING ]

SCOTUS Decision in Spokeo Could Have Significant Impact on Data Breach Litigation

Following several significant data breaches in 2014 and 2015, including one reported just last week by the IRS, organizations of all types are on high alert to safeguard against data breaches and to prepare incident response plans, recognizing that no one is immune. As organizations prepare for a future business climate in which consumers and government regulators alike expect proactive risk assessment and programs to address identified vulnerabilities, there is little question that such heightened expectations will lead to significant future regulatory action and litigation in the aftermath of data breaches. At a May 11, 2015 event hosted by U.S. …

[ CONTINUE READING ]

A Year in Review: Key HIPAA Settlement Agreements by HHS’s Office for Civil Rights

The U.S. Department of Health and Human Services Office for Civil Rights had another busy year in 2014. More resolution agreements were signed by HHS and Covered Entities than in the previous year, and several Covered Entities agreed to pay significant amounts to resolve investigations. Below is a brief summary of the most notable enforcement actions. In March 2014, OCR settled alleged HIPAA violations by Skagit County, Washington, home to approximately 118,000 residents. The County agreed, among other things, to pay a $215,000 monetary settlement. According to OCR, the electronic protected health information of 1,581 people was accessed by unknown …

[ CONTINUE READING ]

Looking at the Past to Predict the Future of HIPAA/HITECH Enforcement

2013 was a busy year for the Department of Health and Human Services. In January 2013, HHS issued its Final Omnibus Rule, substantially modifying both the Privacy, Security, and Enforcement Rules related to the Health Insurance Portability and Accountability Act (HIPAA) and the Breach Notification Rule under the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). The Final Omnibus Rule gives HHS’s Office of Civil Rights even greater authority to police covered entities and to enforce HIPAA/HITECH Act privacy regulations. As expected, OCR was active in its enforcement of the Final Omnibus Rule in 2013. In …

[ CONTINUE READING ]