Clearly Defined HIPAA and FERPA Policies May Help Covered Entities in Defending a Claim for Unemployment Compensation

email menu on monitor screenRecently, in Dantry v. Unemployment Compensation Board of Review, No. 1665 C.D. 2017 (Pa. Cmwlth. 2019), the Commonwealth Court of Pennsylvania reversed the order of the Unemployment Compensation Board of Review (Board) which  had affirmed the Unemployment Compensation Referee’s decision that Jami M. Dantry (Dantry) was ineligible for unemployment compensation benefits because Dantry’ s conduct rose to the level of willful misconduct based on a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Family Educational Rights and Privacy Act  (FERPA), and for insubordination.  The Commonwealth Court of Pennsylvania remanded the matter to the Board for the issuance of a decision determining whether Dantry’s alleged insubordination constituted willful misconduct.

Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Loss or Theft of Devices

Laptop with Stethoscope and globe, global medical conceptThis article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here.

The report on cybersecurity best practices (Report) weighs in on one of the issues many entities find hardest to control – the loss or theft of devices and records. As work travel and remote working continue to increase, so too do the instances when company devices leave campus and become vulnerable to loss and theft. The Report states that from Jan. 1, 2018, to Aug. 31, 2018, covered entities reported 192 incidents of theft, affecting 2,041,668 individuals. Adding further gravity to the impact of theft, stolen laptops are not an insignificant source of Office of Civil Rights (OCR) fines:

Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Ransomware Prevention

This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its “Cybersecurity Best Practices” report. For previous articles in the series, click here.

The report on cybersecurity best practices (Report) is not the first time HHS has discussed the prevalent issue of ransomware attacks on healthcare entities. In 2016, HHS issued its Ransomware Factsheet, which cited a 2016 U.S. government interagency report stating that in the first six months of 2016, there were an average of 4,000 ransomware attacks every day, a 300 percent increase from 2015, when the daily average was 1,000 attacks. While this figure was startling, perhaps the most impactful portion of the Factsheet was HHS’ position that “[w]hen [ePHI] is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired[,] and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” In other words, now that this guidance has been issued, covered entities are required to presume a ransomware incident is a breach unless the evidence demonstrates a low probability of compromise based on the HIPAA breach risk assessment factors, including specifically that the PHI was not actually viewed or acquired. The guidance expanded the four-factor risk assessment under HIPAA when ransomware is involved to include consideration of the availability and integrity of the data.

Continue Reading

Insurance Data Security Model Law Picks Up Steam

Businessman pressing a security concept button.Three states recently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), based on the landmark cybersecurity requirements issued by the New York Department of Financial Services (NYDFS) in March 2017. The NYDFS requirements apply to certain banking, insurance and financial service entities licensed in the state of New York. The legislative trend based on the NAIC model law prescribes detailed cybersecurity requirements for insurance-related entities. South Carolina led the pack, enacting the Insurance Data Security Act in May 2018. Ohio and Michigan followed suit in December, and other states appear poised to consider similar legislation.

Continue Reading

Washington State Proposes Sweeping Privacy Legislation

Computer security concept. Others in this series.On Jan. 17, 2019, a new privacy law was proposed in the Washington state Senate. If passed, the Washington Privacy Act would impose far-reaching responsibilities on companies to protect the privacy of “personal data.” Lifting many provisions almost entirely from the text of the European Union’s General Data Protection Regulation (GDPR), the legislation would arguably make Washington one of the most privacy-protective states in the nation. In this article, we explore the contours of the Washington Privacy Act and the practical implications for organizations subject to the legislation, if enacted.

Continue Reading

What Can We Learn From the Healthcare Data Breach ‘Wall of Shame’?

In addition to dealing with the public outcry and regulatory scrutiny resulting from a healthcare data breach, covered entities under the Health Insurance Portability and Accountability Act (or their business associates) are required to report breaches to the Department of Health & Human Services’ (HHS) Office for Civil Rights. But the pain doesn’t end there. If the breach reported to HHS involved more than 500 individuals, it is published for the world to see on an HHS website, colloquially referred to as the “wall of shame.”

In existence since 2009, the wall provides a brief summary of data breaches, including the name of the covered entity, covered entity type (i.e., provider or business associate), number of individuals affected, type of breach and location of the breach (e.g., server, email, electronic medical record). Congress mandated that the public have access to breach information, but questions have arisen regarding the value of the site, how the data is presented and how long the data should be available to the public.

Continue Reading

The Use of Smart Speakers in Healthcare

Smart speaker on the table in the living room, 3D

Smart speakers are voice-activated, internet-connected devices with an integrated virtual assistant that can answer questions, follow instructions and control other smart devices. Nearly one in five U.S. adults has access to a smart speaker, and it has been estimated that in 2018, the number of smart speakers installed reached 100 million worldwide. Using voice recognition, a smart speaker’s virtual assistant can understand what is being said and act upon it. Once the system is activated, it records what is being said and sends it over the internet to the main processing service, which deciphers the speech and sends a response back to the smart speaker. Smart speakers can control other smart devices upon verbal command and perform tasks such as controlling music, lights, television and home security systems, as well as playing audible books.

Read more.

“No Deal” Brexit May Bring Practical Problems for Privacy and Data Protection

"EU flags fly in a row in front of the European Commission building in Brussels, Belgium"

With a “No Deal” Brexit seeming more likely than ever after the UK Parliament voted down a proposed deal in January 2019, concerns are rapidly multiplying about the effects of such a withdrawal from the EU for organizations doing business in the UK, and how those organizations will address numerous practical issues, privacy and data protection among them.

In recently released updates to its post-No-Deal Brexit guidance, the UK’s Information Commissioner’s Office (ICO) clarifies several privacy-related implications and addresses some common concerns while urging organizations to start preparing now, before the looming March 29, 2019, effective date of a No Deal Brexit.

Continue Reading

FINRA Issues Recommendations and Best Practices to Address Common Cybersecurity Risks for Broker-Dealer Firms

Press enter button on the keyboard computer Shield cyber Key lock security system abstract technology world digital link cyber security on hi tech Dark blue background, Enter password to log in. lock finger KeyboardThe Financial Industry Regulatory Authority (FINRA) has issued its “Report on Selected Cybersecurity Practices – 2018” to provide further guidance to broker-dealer firms in developing and improving their cybersecurity programs. The report piggybacks on FINRA’s 2015 “Report on Cybersecurity Practices” by identifying five common cybersecurity risks and outlining recommended practices addressing these risks:

• Branch controls
• Phishing attacks
• Insider threats
• Penetration testing
• Mobile devices

Continue Reading

Public Forums on the California Consumer Privacy Act Continue in Los Angeles – Rulemaking to Follow

The public forums on the California Consumer Privacy Act (CCPA), held by the California Attorney General (AG) and the Department of Justice, continued on Friday, Jan. 25, in Los Angeles, California. At the forum, speakers had a brief opportunity to provide their comments on the CCPA. Prior to opening up the floor to members of the public for comments, representatives from the AG’s office articulated to the couple of hundred attendees that they are seeking public comment in the following areas in which the California AG has the authority to solicit public participation and issue regulations pursuant to Section 1798.185 of the CCPA: Continue Reading