Government Agencies

Subscribe to Government Agencies via RSS

OCR Announces a Settlement … Again; HHS Eases Restrictions on Mental Health Information Sharing to Facilitate Gun Control Efforts; Facebook: Users Lack Standing in Cookie MDL; Plaintiffs Argue for Summary Judgment in $5 Million Twitter TCPA Suit

OCR Announces a Settlement … Again

For the second time this week, OCR announced another huge settlement. The

FTC Settles IoT Enforcement Action; HHS Releases HIPAA/NIST Crosswalk; HHS Provides FAQs on Patient Fees for PHI Release; Judicial Redress Act Becomes Law

FTC Identifies Reasonable Security Measures Through IoT Enforcement Action

The Federal Trade Commission (FTC) settled charges with ASUSTek Computer, Inc. (ASUS), a manufacturer of home router and home networking (or “home cloud”) equipment, related to the security of the devices. According to the settlement, ASUS advertised that its home routers and networking equipment could protect the connected computers “from any unauthorized access, hacking, and virus attacks.” The FTC alleged, however, that ASUS did not secure data in a reasonable way and instead exposed consumers to hackers. The settlement emphasizes the FTC’s interest in securing devices connected to the Internet of Things (IoT) and provides additional guidance regarding the FTC’s view of “reasonable” security.Continue Reading Privacy & Cybersecurity Weekly News Update

California AG Defines “Reasonable Security;” Apple Opposes FBI Hack Request; Russia to Enforce Data Localization with (Surprise) Audits; HHS Helps Health App Developers Determine if Subject to HIPAA; Carrier IQ Agrees to $9M Data Leak Settlement

California AG Defines “Reasonable Security”

California Attorney General (AG) Kamala Harris published the 2016 “California Data Breach Report,” which lays out what the state believes to be “reasonable security” for the purpose of California’s law that requires protecting personal information.

This is the first time California has recommended an external industry standard as a baseline “reasonable security” requirement. According to the California AG, the chosen standard (Center for Internet Security’s (CIS) Critical Security Controls (formerly known as the SANS Top 20)), is a consensus list of the “best defensive controls to detect, prevent, respond to, and mitigate damage from cyber attacks,” and is updated periodically to keep up with technology. The FTC has previously recommended using industry standards, but did not go as far as California in prescribing a particular one.Continue Reading Privacy & Cybersecurity Weekly News Update

President announces cybersecurity action plan; Congress passes Judicial Redress Act; French DPA notice provides compliance guidance; and FCC set to enforce CPNI rules.

President Obama Announces Cybersecurity Action Plan

The President announced his Cybersecurity National Action Plan (CNAP) this week, with a FY 2017 Budget proposal that includes $19 billion on CNAP initiatives – a 35 increase in cybersecurity spending over his FY 2016 budget. While the CNAP focuses on the private sector’s role in shoring up the nation’s cybersecurity, it contemplates only voluntary activities and does not impose obligations on the private sector. The CNAP includes plans to expand support for critical infrastructure, improve cyber hygiene, enhance cyber incident response, establish the Commission on Enhancing National Cybersecurity, modernize government IT and governance, and develop cybersecurity technology and workplace skills. To read more about the proposals and what it means for companies, please see our Client Alert on the CNAP.Continue Reading Privacy & Cybersecurity Weekly News Update

HHS proposes new substance abuse information confidentiality rules; HHS releases PHI disclosure fact sheets; U.S.-EU Safe Harbor replacement announced; OCR levies civil monetary penalties; and FTC settles charges with technology company for installing apps without consent.

HHS Proposes Update to Substance Abuse Confidentiality Rules

The U.S. Department of Health and Human Services (“HHS”) announced a proposed rule to modernize the federal substance abuse confidentiality rules (42 C.F.R. Part 2), which were last substantively updated in 1987. The proposed updates are intended to help health care providers improve integrated care efforts in the electronic environment. For further information, see our C&M Health Law blog post on the topic.Continue Reading Privacy & Cybersecurity Weekly News Update

For only the second time in its history (following the $4.3 million Cignet case) the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) imposed civil money penalties (CMPs) on a company for violating the Health Insurance Portability and Accountability (HIPAA) Privacy Rule.

Lincare, Inc. (Lincare), a home health provider, was required to pay $239,800 in CMPs after an HHS Administrative Law Judge (ALJ) found that the undisputed evidence in the case established that Lincare violated HIPAA because it did not implement policies and procedures to safeguard records containing its patients’ protected health information (PHI).

The OCR investigation began when an individual complained to OCR that a Lincare employee left behind documents containing the PHI of 278 patients when the employee moved residences. According to the ALJ, Lincare had inadequate policies and procedures in place to safeguard PHI taken offsite even though employees regularly removed material from the business premises. Further evidence suggested that Lincare had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time.Continue Reading OCR Levies Second Ever HIPAA Civil Monetary Penalty

Certain European Union (EU) Member States’ data protection authorities (DPAs) have already started to announce investigations and or “prudential measures” for data transfers solely relying on the invalidated “U.S.-EU Safe Harbor Framework” (Safe Harbor).

In the aftermath of the announcement of the “EU-U.S. Privacy Shield” (Privacy Shield), the Article 29 Working Party (WP29), comprised of all EU Member State DPAs, announced an extension of the “grace period” for U.S. data transfers based on alternative transfer mechanisms (e.g., EU standard contractual clauses and Binding Corporate Rules) other than Safe Harbor, at least until the Privacy Shield has been reviewed by WP29 (likely by the end of March 2016).Continue Reading EU Member States to Investigate EU-U.S. Transfers That Rely Solely on Invalidated Safe Harbor: Starting Now

The Article 29 Working Party (WP29), consisting of the data protection authorities (DPAs) of all 28 European Union (EU) Member States, met February 2-3 to discuss the future of EU-U.S. data flows. The meeting coincided with an end-of-January deadline that WP29 had set for the European Commission and U.S. Department of Commerce to provide a

The U.S. Department of Commerce and European Commission have remained publicly optimistic about their renegotiation of the U.S.-EU Safe Harbor (Safe Harbor) following the program’s invalidation by the European Court of Justice in October. Unfortunately, there are signs of trouble in the U.S. Senate and future trouble coming from European Union (EU) regulators.

The EU