Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: Enforcement

Subscribe to Enforcement RSS Feed

How to Respond to SEC Inquiries Concerning Data Breach and Data Security Policies

Posted in Cybersecurity, Data Breaches, Enforcement
Every company, whether public or private, has exposure to potential data breach or theft of confidential information. When this occurs, various state and federal regulatory organizations have jurisdiction over ensuring that there is prompt, corrective, and remedial action taken by the company whose systems have been compromised. Much of the focus of articles and commentary … Continue Reading

California Continues to Regulate Privacy and Advertising to Minors in New Law Regulating School-related Online Services

Posted in Cybersecurity, Education, Enforcement
On September 29, 2014, California Governor Jerry Brown signed SB 1177 into law, effective Jan 1, 2015.  See Governor Brown Issues Legislative Update.  The new privacy and advertising regulation goes beyond FERPA, the federal student privacy law, and existing state student privacy laws that govern schools and requires them to obtain privacy protections for student … Continue Reading

Health System Investigated for Leaving PHI in Doctor’s Driveway – Settles with OCR for $800K

Posted in Enforcement, HIPAA/HITECH, Medical Privacy, Privacy
While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form.  To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution … Continue Reading

HHS Attorney: Major HIPAA Fines and Enforcement Coming

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Information Security, Medical Privacy, Privacy
As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR.  But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months. According to Law360, Jerome B. Meites, Chief … Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy, Privacy
On May 7, 2014, HHS OCR announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million dollars—the highest settlement amount to date.  These resolution agreements make it clear that organizations must be able to propose steps to analyze security risks for ePHI as specified by HIPAA … Continue Reading

Get Ready! HHS OCR Announces Next Round of HIPAA Audits

Posted in Enforcement, HIPAA/HITECH, Medical Privacy
To combat new risks associated with rapidly evolving health information technology, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provides standards for the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to individuals.   HITECH … Continue Reading

OCR Settles Potential HIPAA Violations with County Government for $215,000

Posted in Breach Notification, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient … Continue Reading

Careful! Your Company May Be a Defacto Data Broker: Are Privacy Regulators Going for Broke(rs) as part of the 2014 Legislative and Privacy Enforcement Agenda?

Posted in Enforcement, Federal Legislation, Privacy
Concerns about privacy practices in the data broker industry, and the privacy implications about the lack of transparency “behind-the-scenes,” will remain a topic of intense regulatory and legislative focus in 2014.   The Federal Trade Commission has defined “data brokers” as companies that collect personal information about consumers from a variety of public and non-public sources … Continue Reading

FTC Releases Complaint Alleging LabMD Failed to Protect Consumer Privacy

Posted in Enforcement, Uncategorized
Authorship credit:  Tina U. Amin FTC Complaint Alleges Disclosure of Medical and Other Sensitive Information over Peer-to-Peer Network and Alleges Identity Thieves may have Obtained Sensitive Information In August 2013, the Federal Trade Commission filed a petition in federal court to investigate Atlanta based medical testing laboratory LabMD, Inc. on suspicion that the company failed … Continue Reading

Health Plan Settles HHS OCR Investigation Related to Photocopier Breach for $1.2m

Posted in Enforcement, HIPAA/HITECH
The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013.  Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780.  The resolution agreement relates … Continue Reading

Federal Prosecutors Indict Accused Data Thieves

Posted in Data Breaches, Enforcement, Online Privacy, Payment Card Industry, Privacy
Federal prosecutors announced yesterday the arrest and indictment of five men accused of involvement in the theft of over 160 million credit card numbers. According to prosecutors, thefts by this group involved some of the largest and most notable U.S. data breaches of recent years, including Global Payments, Heartland Payment Systems, Hannaford, and NASDAQ, among … Continue Reading

HHS OCR Sends Message to CEs and their BAs: Protect ePHI Accessible Over the Internet

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company.  The resolution agreement stems from WellPoint’s June 18, 2010 report to OCR regarding security weaknesses in an online … Continue Reading

HHS OCR Director Leon Rodriguez’s Dialogue on HIPAA/HITECH Compliance

Posted in Enforcement, HIPAA/HITECH, Medical Privacy
“HIPAA is a valve, not a blockage,” stated HHS OCR Director Leon Rodriguez, at the OCR/NIST 6th Annual Conference on Safeguarding Health Information:  Building Assurance through HIPAA Security.  Discussing the tension inherent in HIPAA, between patient access to patient information and an organization’s safeguarding of protected health information (PHI), Director Rodriguez characterized OCR’s HIPAA guidance … Continue Reading

The FTC Mobile Privacy Staff Report

Posted in Behavioral Advertising, Enforcement, Mobile Privacy, Online Privacy
As reported here, the FTC earlier this month released a staff report on mobile privacy. The report, Mobile Privacy Disclosures: Building Trust Through Transparency, provides privacy practice recommendations to firms operating in the mobile app development “ecosystem.” The report’s recommendations are geared mainly toward developers and app store operators, such as Apple, Google, or Microsoft. … Continue Reading

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part II)

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy, Privacy
There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH).  In Part I, we discussed what HIPAA … Continue Reading

What Covered Entities and Business Associates Need to Do to Prepare for the New HIPAA/HITECH Requirements (Part I)

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
The Department of Health and Human Services (HHS) issued, on January 17, 2013, its Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  Our initial discussion can … Continue Reading

The HIPAA/HITECH Final Rule Has Been Released

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, Federal Legislation, HIPAA/HITECH, Identity Theft, Medical Privacy, Privacy
The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far: … Continue Reading

Massachusetts Provider Settles with HHS for $1.5M for ePHI breach incident

Posted in Enforcement, HIPAA/HITECH
To date, the Department of Health and Human Services (“HHS”) has entered into ten resolution agreements and one civil monetary penalty related to its enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”).  Four resolution agreements have been triggered by a covered entity’s report of a security breach to HHS in compliance with the HITECH … Continue Reading

Connecticut to Require Notice to Attorney General Following a Breach

Posted in Breach Notification, Data Breach Notification Laws, Enforcement
Connecticut has been in the forefront in protecting the personal information of its residents.  In July 2010, in the first action by a state attorney general for violations of HIPAA since HITECH authorized state attorneys general to enforce HIPAA, a settlement was reached between HealthNet and the state of Connecticut – stemming from a May … Continue Reading

Massachusetts Attorney General Settles Enforcement Action for $750,000

Posted in Data Breaches, Enforcement
In June, 2010, South Shore Hospital announced on its website that unencrypted back-up tapes containing patient information went missing and were believed to have been discarded at a dump.  Reports state that this incident involved 473 tapes which contained information about 800,000 patients, including names, social security numbers, account numbers, and medical diagnoses. On May … Continue Reading

FTC Issues Final Report with Guidance on Companies’ Online Privacy Practices

Posted in COPPA, Enforcement, Federal Legislation, Online Privacy, Privacy
Fifteen months after releasing its preliminary report, the Federal Trade Commission released its final Report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.”  The much anticipated final report went further than the preliminary report by now calling for Congress to enact general privacy, data security and breach … Continue Reading

HHS Settles HIPAA Violations Related to a Breach for $1.5M

Posted in Data Breaches, Enforcement, HIPAA/HITECH
BlueCross BlueShield of Tennessee (BCBST) was the victim of a theft in 2009 when an intruder stole 57 hard drives which contained protected health information (PHI) of more than 1 million customers.  The information on the hard drives included names, Social Security Numbers, diagnosis codes, dates of birth, and health plan identification numbers.  Reports suggest … Continue Reading

Key Government and Industry Leaders Discuss Data Privacy at IAPP Summit

Posted in Behavioral Advertising, COPPA, Enforcement, Mobile Privacy, Online Privacy
Last week in Washington, DC, officials from the U.S. Federal Trade Commission, the Department of Commerce, major trade associations and key stakeholders from around the world gathered at a global privacy summit convened by the International Association of Privacy Professionals.  During the two day conference, panels covered a broad range of topics from mobile device … Continue Reading

All Contracts with Vendors Who Handle Personal Information of Massachusetts Residents Must Have Appropriate Safeguards in Place by March 1, 2012

Posted in Enforcement, Information Security
Regulators are focusing more and more on how responsible organizations are when engaging third-party vendors.  HIPAA has in place requirements for engaging business associates.  The Connecticut Department of Insurance has requirements for reporting breaches caused by vendors.  And, the Massachusetts Attorney General, through the Data Security Regulations, requires oversight of third-party service providers.  This is … Continue Reading