Digital Health Industry Take Note: New HIPAA Comment Opportunity and Guidance Addresses Growing Risk of Cybersecurity Attacks

Digital health companies should take note of new data privacy and security developments under the Health Insurance Portability and Accountability Act (HIPAA) that can affect product planning and customer negotiations.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has released a request for information (RFI) seeking input on (1) how covered entities implement recognized security practices, which OCR considers in enforcement matters and (2) the different types of harm that individuals experience from HIPAA violations in order to consider how OCR may share enforcement recoveries with individuals harmed. Digital health companies subject to HIPAA should consider submitting comments by the June deadline to ensure that the evolving digital health industry has a voice in establishing industry best practices and advocating for continued flexibility in the implementation of security standards that suit their unique business needs distinct from traditional covered entities and business associates. (more…)

CISA: “We don’t stab the wounded.”

Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), repeatedly emphasizes CISA’s cooperative approach with the U.S. private sector. During her interview with Sidley’s Alan Raul on April 13, 2022, Easterly emphasized that CISA’s role was not to “name, blame, shame, or stab the wounded” victims of cybersecurity incidents. Instead, she described the Agency as a coequal partner with the private sector in securing U.S. infrastructure. CISA desires to partner with other agencies as well, operating as the “front door” to federal agency support and cyber security resources, she stated. During the Raul interview, she also provided insight into the Agency’s perspective on the newly enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). (more…)

Joyce Yeager

Knowledge Management Lawyer

jyeager@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

EU Data Governance Act – Edging Closer to a European Single Market for Data

On 6 April 2022, the European Parliament formally approved the Data Governance Act (“DGA”), which establishes a legal framework to promote the availability of data and increase trust in data sharing across sectors in the EU. Some of the key objectives of the new legislation include enabling the re-use of certain categories of protected public sector data and making it easier and safer for citizens and businesses to share their data with relevant stakeholders. (more…)

Utah Joins the Comprehensive Privacy Law Club

Utah has become the fourth state, following California, Virginia and Colorado, to enact a comprehensive consumer data privacy law.  The Utah Consumer Privacy Act (“UCPA”), formerly known as Senate Bill 227, passed the Utah Senate and House with no opposition, and was signed by Governor Cox on March 24, 2022.

The UCPA shares many similarities with Virginia’s Consumer Data Protection Act (“VCDPA”) and the Colorado Privacy Act (“CPA”), and some similarities with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). That said, the UCPA is somewhat narrower and more business friendly than other state privacy law analogs. The UCPA will go into effect on December 31, 2023. (more…)

Privacy by Design and Data Minimisation

*This article was first published by Global Data Review in March 2022.

“Privacy by design” refers to the practice of integrating and embedding privacy and data protection into the development and implementation of information technology systems, business practices and policies, and products and applications. (more…)

CISA Publishes a List of Key Elements to Share in Incident Reports

Amidst severe warnings by the United States government of heightened cyber risks (especially for critical infrastructure), and on the heels of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) being signed into law in March 2022, the Cybersecurity and Infrastructure Security Administration (CISA) published a Cyber Event Information Sharing Fact Sheet, which provides stakeholders with guidance about what to share, who should share, and how to share information about unusual cyber incidents or activity. (more…)

Developments in Health Privacy and Cybersecurity Policy and Regulation: OCR Issues Cybersecurity Warnings and New Health Data Legislation Is Introduced

On March 17, 2022, the U.S. Department of Health and Human Service’s Office for Civil Rights (“OCR”) issued industry guidance for Health Insurance Portability and Accountability Act (“HIPAA”) regulated entities to take preventative steps to protect against some of the more common, and often successful, cyber-attack techniques. For example, the number of breaches of unsecured electronic Personal Health Information (“ePHI”) reported to the OCR affecting 500 or more individuals due to hacking or IT incidents increased 45% from 2019 to 2020. Further, OCR noted that the number of breaches due to hacking or IT incidents accounted for 66% of all breaches affecting 500 or more individuals reported to the Department in 2020. OCR concludes most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates implemented HIPAA Security Rule requirements to address the most common types of attacks.

OCR’s reminders and recommendations for regulated entities include to: (more…)

Uniform Personal Data Protection Act Offers an Alternative Approach to Consumer Data Protection

*This article first appeared in Legaltech News on March 22, 2022, available here.

With federal consumer privacy bills gaining little traction, the Uniform Law Commission proposes the Uniform Personal Data Protection Act (UPDPA) as an alternative to the existing quilt of state consumer privacy laws. In a panel hosted by Sidley Austin partner Alan Raul, the drafters discussed the major features of the law and how they balance consumer concerns about data privacy while reducing commercial disruption. (more…)

White House Urgent Warning: Act Now to Protect Against Potential Russian Cyberattacks

On March 21, 2022, the White House issued a dramatic warning based on “evolving intelligence” about the potential for Russia to threaten America with cyber attacks in response to U.S.-imposed economic sanctions. In a separate statement, President Biden said that “the Russian Government is exploring options for potential cyberattacks.” He urged the private sector, especially those that operate critical infrastructure, to “harden your cyber defenses immediately by implementing the best practices we have developed together over the last year.” According to Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, Russia has been conducting “preparatory activities”, which she said could include scanning of websites and hunting for software vulnerabilities.

In addition to CISA’s Shields-Up campaign, which we covered in a previous blog post, the White House’s March 21 Fact Sheet stresses the urgency of key cyber hygiene steps including recommendations to: (more…)

Congress Passes Cyber Incident Reporting for Critical Infrastructure Act of 2022

The U.S. Congress has passed a significant new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. The reporting requirements will cover multiple sectors of the economy, including chemical industry entities, commercial facilities, communications sector entities, critical manufacturing, dams, financial services entities, food and agriculture sector entities, healthcare entities, information technology, energy, and transportation. CISA must promulgate a proposed implementing regulation within 24 months from final enactment date of March 15, 2022, and a final regulation no later than 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule. (more…)