Three Boston-Area Hospitals Settle HIPAA Allegations Arising From On-Site Filming of Television Documentary

Three Boston-area hospitals collectively paid just under $1 million to settle allegations that they violated HIPAA by improperly disclosing patients’ identities and other protected health information during onsite filming of a television network documentary.  According to the Department of Health and Human Services Office for Civil Rights (OCR)’s September 20, 2018 press release, the three hospitals – Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) – permitted film crews to film an ABC television network documentary series on premises without first obtaining authorizations from patients.  Collectively, the three hospitals paid $999,000 to settle potential violations of the HIPAA Privacy Rule, with BMC paying $100,000, BWH paying $384,000, and MGH paying $515,000.

Read More

EmailShare

California and Preemption

As one of the epicenters of the Information Age and largest state in the Nation, California’s regulatory decisions can have an outsize impact on the data economy.  Recently, the State has tried to use this pride of place to stamp its imprint on two important public debates.  First, on September 30, 2018, Governor Brown signed into law the California Internet Consumer Protection and Net Neutrality Act of 2018 (Senate Bill 822), which seeks to impose, as a matter of state law, net neutrality regulation even more restrictive than the federal regime the Federal Communications Commission (FCC) repealed earlier this year.  Second, earlier this year, California enacted (and then subsequently amended) the California Consumer Privacy of 2018, the broadest privacy law in the United States.  As laid out below, these enactments have sparked legal and policy debates over whether California should be able to set rules that could become de facto national standards or whether federal rules do or should preempt California’s efforts. 

Read More

EmailShare

Highlighting the Chinese Cybersecurity Law

Former Department of Homeland Security Chief Privacy Officer Hugo Teufel III and Sidley’s Edward McNicholas addressed a packed room on Chinese Cybersecurity Law at the 2018 Privacy + Security Forum hosted at George Washington University.  The timely presentation highlighted how, with significant attention in the past few years focused on the GDPR, many have not fully appreciated the significant policy and legal developments coming out of Beijing.  In particular, China has been creating a materially different approach to cybersecurity which serves the central purpose of defending the Chinese notion of cyber sovereignty.  Much uncertainty remains about the newly-effective laws and regulations, but it is clear that foreign technology and other companies operating in China should rapidly focus on its significant restrictions on outbound data transfer, the expansive definitions of “important data”, as well as reviews of network equipment security. Their presentation is available here.

EmailShare

White House and Pentagon Announce New Cyber Strategies

The Trump Administration continued to put its stamp on federal cybersecurity policy last week, as the White House issued its National Cyber Strategy while the Pentagon announced the Department of Defense Cyber Strategy.  The former document is a helpful step forward that continues and advances the cyber policies the Trump Administration inherited from the Obama and Bush Administrations, while the Pentagon’s release primarily focused on the Strategy’s endorsement of “Defense Forward,” which was taken as a signal the United States would be adopting a more aggressive operational posture in the future.  Data Matters readers will want to study both strategies, as each contains interesting insights into how the Trump Administration envisions the development of the cybersecurity ecosystem and see the public and private sectors working together to mitigate cyber risks. 

Read More

EmailShare

The Trump Administration’s Approach to Data Privacy, and Next Steps

* This article originally appeared in Law360 on September 27, 2018.

On Sept. 25, 2018, the Trump administration proposed an approach and initiated a process to modernize U.S. data privacy policy.  The administration’s approach is “risk-based” rather than rule-based, and, as such, signals a willingness to move away from a privacy model of mandated notice and choice that has “resulted primarily in long, legal, regulator-focused privacy policies and check boxes.” Rather, the administration is proposing that U.S. privacy policy “refocus” on achieving desirable privacy “outcomes,” such as ensuring that users are “reasonably informed” and can “meaningfully express” their privacy preferences, while providing organizations with the flexibility to continuing innovating with cutting-edge business models and technologies.

Read More

EmailShare

Senate Hearing on Federal Privacy Law: Question is Not Whether But What Form

On September 26, the Senate Commerce Committee invited tech and telecom companies to the Hill to discuss safeguards for consumer data privacy. “The question,” noted Chairman John Thune, “is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.” The Senators and testifying witnesses expressed strong support for a comprehensive federal privacy law.

Read More

EmailShare
1 2 3 59
EmailShare
XSLT Plugin by BMI Calculator