HHS Limited Waiver and Guidance on HIPAA and the Privacy Rule During COVID-19 Pandemic

By Kimberly J. Kannensohn, Benjamin Petitto & Lauren M. Ramos on March 27, 2020

Posted in Cybersecurity, Health Information, Other, Privacy

Since the outbreak of COVID-19, the Department of Health and Human Services Office for Civil Rights (OCR) has issued various guidance documents on compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations. The topics include OCR’s discretion in enforcing HIPAA with respect to telehealth services, waiving hospital compliance with the HIPAA Privacy Rule in limited circumstances, and Privacy Rule compliance in the absence of specific waiver. The OCR guidance, discussed below, confirms that HIPAA still applies during the pandemic but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.

Continue Reading HHS Limited Waiver and Guidance on HIPAA and the Privacy Rule During COVID-19 Pandemic

Coronavirus Cyber Scams: Outbreak Map Used to Spread Malware and Cyber Attack Experienced by the HHS

By Neelam Takhar, Janet P. Peyton, Bethany Gayle Lukitsch, Alicia A. Baiardo, Justin T. Yedor & Anthony Q. Le on March 24, 2020

Posted in Cybersecurity, Other

In the midst of the coronavirus pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed to infect computers with malware or obtain sensitive, personal information.

For example, readers may be familiar with a popular interactive dashboard created by Johns Hopkins University using real-time data from the World Health Organization to track the spread of the virus. It has become a go-to source for many wishing to stay up to date on the virus. Recently hackers have circulated links via social media, email attachments and online advertisements to malicious websites that are disguised as the university’s COVID-19 map. However, the deceptive links open an applet that, when installed, infect the device with malware designed to steal personal data such as login credentials, banking information and other sensitive data. To ensure you are accessing the “real” COVID-19 map, directly access it through Johns Hopkins’ official home page, rather than clicking any unidentified links or searching the internet.

Continue Reading Coronavirus Cyber Scams: Outbreak Map Used to Spread Malware and Cyber Attack Experienced by the HHS

Cybersecurity and Infrastructure Security Agency Issues Initial Guidance on Essential Workers, Sectors

By Eric Mills, Susan C. Rodriguez, Nicole S. Giffin, D. Bowen Heath & Brian D. Barger on March 23, 2020

Posted in Other

As many industries transition to alternate working arrangements in response to COVID-19, certain sectors and functions essential to the nation’s public health, safety and community well-being must continue to operate. The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security recently released an initial list of “Essential Critical Infrastructure Workers” to help guide state/local officials and industry leaders on which sectors and functions should continue during the COVID-19 response. This memorandum was released after President Trump issued guidance that workers in critical infrastructure industry, as defined by DHS, “have a special responsibility” to maintain a normal work schedule.

NYDFS Seeks Assurances from Regulated Entities in the Wake of COVID-19

By Ashley Matthews on March 19, 2020

Posted in Cybersecurity

The New York Department of Financial Services (“NYDFS”) has issued a series of Industry Letters requiring regulated institutions to submit information regarding plans to manage risks associated with the novel coronavirus (“COVID-19”). The Letters request descriptions of the entities’ planned responses to a variety of threats posed by COVID-19, including heightened cybersecurity risks.

The four Industry Letters issued by the NYDFS are directed to various regulated entities and require responses regarding the entities’ prospective responses to COVID-19. Among the required responses are those regarding the regulated entities’ strategies to address specific cybersecurity-related risks, including:

Continue Reading NYDFS Seeks Assurances from Regulated Entities in the Wake of COVID-19

California Attorney General’s Second Set of Modified CCPA Regulations: Undoing, Redoing, Clarifying

By Justin T. Yedor, Alicia A. Baiardo & Bethany Gayle Lukitsch on March 12, 2020

Posted in Other, Privacy

Here we go again. On March 11, 2020, the California Attorney General (AG) published a second set of modifications to its Regulations under the California Consumer Privacy Act. Unlike the AG’s modifications from just last month, the substantive changes this time are not quite so numerous. There are, however, a few provisions worth noting.

As a general matter, the most significant changes this time around consist of undoing some of the additions made in the first set of modifications. There is also some new language in the Regulations that provides further guidance for businesses that do not directly collect personal information as well as businesses working to draft CCPA-compliant privacy policies.

Continue Reading California Attorney General’s Second Set of Modified CCPA Regulations: Undoing, Redoing, Clarifying

Small Businesses Are Not Safe from Big HIPAA Liability

By Lauren M. Ramos & Austin R. Shepard on March 9, 2020

Posted in Health Information, Other

In the first published enforcement action of 2020, a gastroenterology practice in Ogden, Utah, has agreed to pay a $100,000 settlement to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

According to the Resolution Agreement entered into between Steven A Porter, M.D., P.C. (the “Practice”) and OCR, the Practice reported a breach to OCR in 2013 due to conduct by a business associate of the Practice. While investigating the breach, OCR determined that the Practice had not implemented appropriate policies and procedures to address security violations, failed to conduct a security risk analysis, and did not have reasonable and appropriate security measures in place. Further, the Practice had used an electronic health records vendor for several years without entering into an appropriate business associate agreement.

In addition to the $100,000 payment, the Practice is required to submit to a Corrective Action Plan for a two-year period. The Corrective Action Plan requires the Practice to take a series of broad measures in furtherance of HIPAA compliance, detailed below. Continue Reading Small Businesses Are Not Safe from Big HIPAA Liability

The California Genetic Information Privacy Act: How This Proposed Legislation Fits in the California Privacy Regulation Framework

By Justin T. Yedor on February 25, 2020

Posted in Genetic Information, Health Information, Privacy

There are many laws at the state and federal level that regulate the processing of genetic information. There may soon be one more.

Earlier this month, the California Senate took up consideration of SB 980, the Genetic Information Privacy Act (“GIPA”), which “would prohibit a direct-to-consumer genetic testing services company from disclosing a person’s genetic information to a third party without obtaining the person’s prior written consent.” As the bill itself acknowledges, the California Consumer Privacy Act of 2018 (the “CCPA”) already regulates the processing of biometric information, including DNA. Other laws such as the federal Genetic Information Nondiscrimination Act of 2008 (“GINA”) and its California counterpart (“CalGINA”) prohibit genetic discrimination. However, there are four key differences in how the GIPA would treat genetic information as compared to the CCPA: (1) the GIPA would create a requirement to obtain written opt-in consent for any disclosure of genetic information to a third party; (2) limit the use of genetic information to the purpose specifically authorized by the individual to whom it pertains; (3) require destruction of the information as soon as this purpose is achieved; and (4) depending on the circumstances, impose criminal as well as civil liability for violations.

Continue Reading The California Genetic Information Privacy Act: How This Proposed Legislation Fits in the California Privacy Regulation Framework

Industry Insight: The CCPA’s Elusive “Reasonable Security” Safe Harbor

By Anne S. Peterson on February 17, 2020

Posted in Cybersecurity, Data Breach, Privacy

“[P]rivacy legislation should have some kind of safe harbor provision in it so that companies understand that if they take certain steps, what they are doing is consistent with the law.” Karen Zacharia, Chief Privacy Officer at Verizon

The California Consumer Privacy Act (CCPA) provides unparalleled rights for California residents with regard to data privacy. The CCPA contains an expansive definition of “personal information” and establishes completely new data privacy entitlements for California consumers, including rights to access, delete and opt-out of the sale of personal information. In addition, the CCPA provides new statutory damages and consumer private rights of action in the event of a data breach.

Continue Reading Industry Insight: The CCPA’s Elusive “Reasonable Security” Safe Harbor

California Attorney General’s Modified CCPA Regulations: Top Ten Changes

By Justin T. Yedor, Alicia A. Baiardo, Bethany Gayle Lukitsch & Neelam Takhar on February 11, 2020

Posted in Privacy

On February 7, 2020, the California Attorney General (AG) published a set of Modified Regulations under the California Consumer Privacy Act (CCPA). The Modified Regulations take into account some of the comments received from the public late last year and make key changes to multiple definitions and provisions, in at least some cases providing more clarity and specificity than the original version. The regulatory process is not yet done—the AG is accepting written public comments on the Modified Regulations until February 24, 2020—but it is unlikely there will be many more substantial revisions from this point forward. It also now seems possible that we will see final Regulations in advance of the July 1, 2020 deadline. The last step in the process is the AG’s submission of the final rulemaking record for approval by the CA Office of Administrative Law (OAL), which has 30 working days to approve the record before filing of the final Regulations with the Secretary of State.

Continue Reading California Attorney General’s Modified CCPA Regulations: Top Ten Changes

Virginia Punts Several Privacy-Related Bills to Out of Session Study

By Chris Nolen on February 3, 2020

Posted in Privacy

Last week a committee of the Virginia House of Delegates voted to send several privacy-related bills to a legislative commission for study after the current legislative session. Among those bills is the Virginia Privacy Act, proposed as a less onerous version of the California Consumer Privacy Act. Other bills referred for study address topics such as requirements for the destruction of records, online advertising and digital services directed to minors, and safe keeping of biometric data.

The Communications, Technology and Innovation Committee voted to “continue” the these privacy-related bills and directed the chairman of the committee to request the Joint Commission on Technology and Science (JCOTS) to study the legislation in advance of the 2021 legislative session. JCOTS consists of 13 legislators and its purpose is to evaluate emerging technology and science with the goal of promoting the development of sound public policies on those topics.

Continue Reading Virginia Punts Several Privacy-Related Bills to Out of Session Study

Password Protected