Category

Health Privacy

07 December 2017

U.S. Treasury Expresses National Perspective In Response to NAIC Insurance Data Security Model Law

On October 26, 2017, the U.S. Department of Treasury released a 176-page Report examining the current regulatory framework for asset management and insurance industries.  The Report, titled A Financial System That Creates Economic Opportunities: Asset Management and Insurance, identifies laws and regulations that are inconsistent with the Trump Administration’s Core Principles for financial regulation as set forth in Executive Order 13772 (Feb. 3, 2017), and makes recommendations to ensure alignment.  For data privacy and security, the Report commented on the Insurance Data Security Model Law (the “Model Law”) adopted by the National Association of Insurance Commissioners’ (the “NAIC”) on October 24, 2017 (for more information on the development of the Model Law, see our prior coverage).  The Model Law attempts to set a baseline for cybersecurity, although it depends on legislative action on the state level. (more…)

SHARE
EmailPrintShare
31 October 2017

Article 29 Working Party Publishes Draft Guidelines on Notification of Personal Data Breaches Notification Under the GDPR

On October 3, 2017, the Article 29 Working Party (“WP29”) adopted draft guidelines regarding notification of personal data breaches under the EU’s General Data Protection Regulation (“GDPR”) which will require breach notification within 72 hours of awareness of a breach. (“Draft Guidelines”) (The Draft Guidelines appear to have been released for public comment during the week of 16th October). The deadline for comment is November 24, 2017. The Draft Guidelines are available here. The WP29 is a collective of EU data privacy supervisory authorities (“DPAs”). (more…)

SHARE
EmailPrintShare
17 August 2017

Influential Stakeholders Debate a Cross-Sector Approach in Using Big Data for Improving Human Health

Big Data has been a hot topic of discussion in recent years. This was especially the case in Brussels, where the fiercely debated EU General Data Protection Regulation (GDPR) was adopted in 2016. A major concern for all of us is personal privacy. Less discussed is the use of Big Data for social good.

A traditional sectoral approach to harnessing the potential of Big Data for social good is insufficient. This is the case in terms of organisations from different sectors partnering to develop new technologies. It also means that legislation and policies on Big Data must be forward thinking and facilitate cross-sectoral co-operation. (more…)

SHARE
EmailPrintShare
18 August 2016

Advocate Health to Pay Largest Ever HIPAA Settlement; HHS Flags Failure to Conduct Comprehensive, Organization-wide Risk Assessment

On Thursday, August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Advocate Health Care Center (Advocate Health) agreed to pay  $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is the largest HIPAA settlement to date against a single entity, and according to OCR, is due to the severity of the HIPAA violations and the length of time that those violations were allowed to persist. OCR alleged that in some instances, the purported violations date back to the effective date of the HIPAA Security Rule.

(more…)

SHARE
EmailPrintShare
04 August 2016

HHS Office for Civil Rights Updates Its Website with Guidance on HIPAA Audits and Unique Device Identifiers (UDIs)

HHS-OCR has updated its website with guidance on two important and current issues: ongoing HIPAA audits and deidentification.  After officially launching phase two of its audit program earlier this month, sending notification letters to 167 covered entities, HHS-OCR has posted updated guidance on its website regarding the audits.  Unrelated to the audits, OCR also posted guidance on the treatment of unique device identifiers (UDIs) under HIPAA’s standards for de-identification and limited data sets.

(more…)

SHARE
EmailPrintShare
07 July 2016

OCR Announces First HIPAA Settlement With a Business Associate

On June 24, 2016, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) entered into a resolution agreement with the Department of Health and Human Services Office for Civil Rights (“OCR”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule after the theft of a CHCS mobile device compromised the protected health information (“PHI”) of 412 nursing home residents.  This is OCR’s first settlement with a HIPAA business associate.  As part of the settlement, CHCS agreed to enter into a two-year corrective action plan (“CAP”) and pay a monetary penalty of $650,000.

(more…)

SHARE
EmailPrintShare
09 June 2016

Robust Debate at NAIC Cybersecurity Task Force Interim Meeting Highlights Concerns with Draft Insurance Data Security Model Law

On May 24-25, 2016, the Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) held a two-day interim meeting in Washington, D.C. to discuss the Task Force’s preliminary draft of a model law outlining data security standards applicable to insurance licensees.  The Draft Insurance Data Security Model Law (“the Draft Model Law”), first released for public comment on March 2, 2016, would apply to all licensed insurers, producers and other persons licensed or required to be licensed (or authorized or required to be authorized, or registered or required to be registered) pursuant to state insurance laws (“Insurance Licensees”).

(more…)

SHARE
EmailPrintShare
20 May 2016

Council Adopts EU-wide Cybersecurity Directive

On May 17, 2016, the European Council formally adopted the Network and Information Security Directive (the “NIS Directive“) at first reading. According to the Council press release, the NIS Directive is meant to increase cooperation among EU Member States on the vital issues of cybersecurity.

The NIS Directive was first proposed by the European Commission in 2013 as part of the EU’s Cyber Security Strategy. The formal adoption of the NIS Directive by the Council follows on from the political agreement reached in December 2015.  It must now be approved by the Parliament at second reading. The NIS Directive is expected to enter into force in August 2016, after which Member States will have 21 months to implement it into their national laws.

(more…)

SHARE
EmailPrintShare
15 February 2016

ALJ Upholds Civil Monetary Penalty Imposed by the Office for Civil Rights

On February 3, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that an HHS administrative law judge (ALJ) ordered Lincare, Inc., a home health provider of respiratory care, infusion therapy and medical equipment, to pay $239,800 in civil monetary penalties (CMPs) for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The violations were disclosing patient information to an unauthorized person, failing to take reasonable safeguards to protect patient information from unauthorized disclosure and failing to implement adequate policies and procedures to protect patient information removed from its offices. This marks only the second time that OCR has imposed CMPs for HIPAA violations.

(more…)

SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator