Please join Crowell & Moring’s Jodi Daniel and Elliot Golding on January 31, 2017 for an ABA webinar called Evolving HIPAA Issues: Cloud, Mobile Apps, Access, and More

This in-person panel discussion (with simultaneous webinar broadcast) will provide perspectives from the HHS Office for Civil Rights (OCR), the former director of the HHS Office of

Discussion headlines: UMass settles alleged HIPAA violations; FCC combatting robotexts and robocalls; TCPA class certification; failed investor suit over data breach; UK surveillance bill became law

UMass pays $650,000 to settle alleged HIPAA violations

The University of Massachusetts Amherst (UMass) reached an agreement to pay $650,000 to settle alleged HIPAA violations based on the disclosure

FCC adopts privacy rules; Privacy Shield challenge; Amendments to EU data transfer decisions; FTC data breach guidance; DOT vehicle cybersecurity best practices; HHS guidance on HIPAA and FTC compliance

FCC approves privacy rules for broadband providers

In a 3-2 vote, the Federal Communications Commission approved new rules governing internet service providers’ collection and use

Hospital pays $2.1MM HIPAA settlement; Dynamic IP addresses protected under EU laws; EU guidance on GDPR coming soon; California’s new privacy compliance tool; banking regulators consider cybersecurity; FCC privacy proposal comments; OMB’s new privacy office; DFARS finalizes Safeguarding Rule

Hospital pays $2.1M to settle alleged HIPAA violations

St. Joseph Health, a California-based health system, reached

Guidance on HIPAA & cloud computing; Senators question FTC enforcement standards

HHS publishes guidance on HIPAA’s impact on cloud computing

This week, the Department of Health and Human Services issued guidance for HIPAA-covered entities and business associates regarding cloud computing.  When a covered entity seeks to use cloud services in connection with the use

HHS Jumps on the Cybersecurity Information Sharing Bandwagon; Third Circuit on Economic Loss as a basis for Negligence Claim; FTC workshop on Ransomware; German draft implementing law for GDPR revealed.

HHS Jumps on the Cybersecurity Information Sharing Bandwagon

Because of recent news reports confirming that cyberattacks against healthcare agencies have increased 125 % in the past five years, HHS is encouraging HIPAA Covered Entities and Business Associates to share information to combat future attacks.

HHS, based on authority from Executive Order 13591 and the Cybersecurity Information Security Act (CISA), is urging Covered Entities and Business Associates to join Information Sharing and Analysis Organizations (ISAOs) to share security threat and vulnerability information related to electronic protected health information (ePHI).

Ideally, ISAOs will provide a mechanism for sharing information bi-directionally “between HHS and the Health Care and Public Health (HPH) sector regarding cyber threats and will also provide outreach and education to the HPH sector.” This press release from HHS follows a similar measure by the Department of Homeland Security, which also encourages information sharing to mitigate the risk of cyberattacks.

In developing ISAOs in the health care sector, it is critical to consider three things:

  • the standards and best practices for the creation of ISAOs to ensure that covered entities and business associates that participate gain the protections of such information sharing under CISA;
  • the data that is shared in light of what is permitted under the HIPAA Privacy Rule; and
  • how participation in an ISAO can support compliance with the HIPAA Security Rule.

Crowell & Moring is a leading expert in the creation of ISAOs and HIPAA compliance and can help stakeholders that seek to comply with HHS’s call to action to consider the intersection of these various legal frameworks


Continue Reading

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes,

Adoption of Privacy Shield expected in early July; Federal Court limits VPPA liability; Belgian Court overturns Facebook fine; FTC robocall crackdown; A rare HIPAA criminal conviction; UK’s ICO fines Brexit campaigners for mass text messages; House report calls for national encryption commission.

European Commission expects adoption of Privacy Shield for beginning of July

European officials are hoping to finally formalize the “EU-U.S. Privacy Shield”, the cross-Atlantic data transfer pact aiming at replacing the formerly invalidated “U.S.-EU Safe Harbor” Framework, on July 5. The initial draft agreement has been amended to include new explanations of U.S. governmental entities and further limitations on the bulk collection of data and mass surveillance. The European Commission is now confident that also the Article 31 Committee will give its approval to the draft framework.

Many European Privacy regulators and EU bodies, such as the European Parliament and the European Data Protection Supervisor, had argued that the initial draft did not sufficiently protect the fundamental rights of European data subjects. The revised version now “only” allows bulk collection “exceptionally”, where targeted collection is “not feasible”, although it remains open how ‘feasibility’ should be determined.


Continue Reading

OCR Launches Next Round of HIPAA Audits; French Privacy Office Levies € 100,000 Fine on Google; SEC Reaches $18 Million Settlement for Alleged Hacker-Trader Conspiracy; FTC and Canadian Regulator Execute Anti-Spam MOU; FTC Commissioner Announces She Will Step Down

OCR Launches Next Round of HIPAA Audits

Last Monday, following much anticipation, the Department of Health and Human Services OCR announced Phase 2 of its audit program to measure compliance with the patient privacy provisions of HIPAA. This audit follows OCR’s pilot audit of 115 Covered Entities and will likely examine 200 additional Covered Entities. For more information about what entities can expect, read Elliot Golding’s March 23 post.

French Privacy Office Levies € 100,000 Fine on Google

The French data protection authority (CNIL), one of the most active privacy regulators in Europe, fined Google € 100,000 for “failure to comply with the obligation to respect the rights of individuals to erase data” under the European “right to be forgotten.”  In May 2014, the European Court of Justice ruled that the compilation of Google search result links were “data processing,” and, as such, search engines should remove links at the request of data subjects.  The CNIL faulted Google for only removing links from searches that originated from EU IP address and not delisting all “Google Search” extensions.

SEC Reaches $18 Million Settlement for Alleged Hacker-Trader Conspiracy

The SEC secured settlements, totaling almost $18 million, with seven defendants accused of participating in a scheme to trade on hacked newswire information. These seven defendants are part of a larger alleged scheme of 32 defendants who, over five years, hacked newswires to obtain earnings announcements before they were released and then distributed and traded on those stolen statements. The government has also brought a parallel criminal action against some of the 32 defendants in the District of New Jersey and has stayed a massive civil suit based on the same hacking scheme.  The $18 million in recent SEC settlements come on the heels of a $4.2 million SEC settlement with Concorde Bermuda Ltd., also accused of taking part in the scheme.


Continue Reading

The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) has finally announced it is starting Phase 2 of its audit program.  OCR previously conducted a pilot audit of 115 Covered Entities in 2011-2012 to assess controls and processes.  Building on that experience, OCR will target approximately 200 Covered Entities and Business Associates in Phase 2.  Here is what entities can expect:

What: The audits will largely be “paper” reviews of policies and procedures, but will also include some on-site visits.  OCR indicates that it is “enhancing” its prior audit protocol, which OCR has already edited, based on changes in the Omnibus Rule.  OCR will first conduct desk audits of Covered Entities followed by a second round of desk audits for Business Associates (though these audits may also include site visits). A third set of audits will be conducted primarily onsite and will consider a broader range of issues than covered with the desk audits.  Some entities subject to a desk audit will also receive an onsite audit.  The audits will cover HIPAA only, not state privacy and security rules.

How: If selected for a desk audit, the timeline will generally be: (1) entities have 10 business days to provide requested documents electronically through a secure portal; (2) OCR will prepare draft findings; (3) auditees will have 10 business days to review and return written comments to OCR regarding the draft findings; and (4) OCR will complete a final audit report within 30 days of receiving comments back from the auditee.  Onsite audits will be more comprehensive than desk audits and will typically last 3-5 days.  In Phase 1 of the audit program, OCR typically provided 30-90 days advanced notice, but has not indicated how much notice will be provided for Phase 2.  Like desk audits, onsite auditees will have an opportunity to respond to OCR’s preliminary findings before a final report is prepared. 


Continue Reading