Header graphic for print

Password Protected

Data Privacy & Security News and Trends

FTC’s Loss in the Eleventh Circuit Will Not Impede Data Security Enforcement

By Meaghan Pedati on Posted in Consumer Privacy/FTC, Cybersecurity, FTC enforcement

In the matter of LabMD Inc. v. Federal Trade Commission, case number 16-16270, the U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC, finding that the order against LabMD for lax data security measures was not enforceable.

The FTC’s original order against LabMD was due to a 2008 security incident where a LabMD employee downloaded a program which exposed customer information over the internet. Although customer harm was never shown by FTC, in 2016 the agency issued a Final Order against LabMD for unreasonable data security practices. The case was eventually brought before the Eleventh Circuit by LabMD to determine if the alleged failure to implement reasonable data security measures in 2008 was an unfair practice under Section 5(a) of the FTC Act.

In the decision, the Eleventh Circuit did not directly address questions surrounding customer harm, but rather the court states that even “assuming arguendo that LabMD’s negligent failure to implement and maintain a reasonable data-security program constituted an unfair act or practice under Section 5(a)” the FTC’s cease-and-desist order was unenforceable because, “[i]t does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”

The court notably did not provide any explicit insight into the FTC’s scope of data security enforcement authority. Rather, the court focused on the practical unenforceability of the FTC’s order which ultimately lost the case for the agency. Despite this loss, there are no signs that the FTC will slow down enforcement in this area. In fact, the agency will like increase efforts to bring action against unreasonable data security practices.

One particular area the agency could flex enforcement authority is GDPR enforcement. While the GDPR is somewhat limited in scope, US companies must still remain cognizant of their privacy policy and security practices. If a company claims to be GDPR compliant, but fails to actually comply with the law, the FTC could bring an enforcement action against the company as an unfair or deceptive business practice by claiming to be GDPR compliant but not actually meeting that standard. Admittedly, any action or fine by the FTC against a company for failing to meet its own privacy policy standards does not compare to the GDPR’s fine of four percent of a company’s annual revenue or 20 million euros, whichever is greater. Regardless, the FTC is still able to investigate a company, at the very least, for making false claims to consumers.

While the Trump administration, as well as several DC agencies, have recently made data security a top priority, the FTC has been establishing itself as the go-to data security enforcement agency for several years. Commissioner Ohlhausen, (whose term expires in September 2018) in addition to her background and interest in health-related connected devices, brought extensive privacy, data protection, and cybersecurity experience to the agency which helped build the FTC’s expertise in this area.  By contrast, her current fellow commissioners do not have as much experience working in the data privacy and security industry. However, the agency is not likely to slow down data security efforts. Just last year, the FTC brought three allegations against companies for making false claims about Privacy Shield participation. The FTC, now fully staffed, will have the resources to keep data security a priority and increase data security enforcement action.

The Eleventh Circuit LabMD decision did not provide any explicit insight into the FTC’s scope of data security enforcement authority. However, with several new commissioners ready to work, the FTC will likely continue operating, if not expanding, its role as the de facto leading data security enforcement authority in the US.

EU Countries that missed the GDPR deadline could face court

By Morgane Poppe on Posted in GDPR

The General Data Protection Regulation (GDPR) is now in effect.  On the 25th of May, the day the GDPR took effect, Commissioner Jourová made a speech, in Brussels, at the General Data Protection Regulation conference to mark the beginning of a new chapter in data protection’s history in the EU. In her speech, the Commissioner recalled that data protection is of vital importance for EU citizens as personal data protection is a fundamental right in the EU and that this matter is also crucial for businesses as personal data protection is an issue for trust in the digital market.

However, some EU countries, including Belgium, Greece and Hungary for example, missed the May 25th deadline and are not ready to fully enforce the GDPR. This creates legal uncertainty for both citizens and companies.

A few days before, the Commissioner said that the Commission would not hesitate to take EU Members States to court for missing the delay in serious cases. Indeed, EU Members Sates have had two years to implement the GDPR and to engage in action.

In her speech on 25th of May, the Commissioner insisted that the Commission will take appropriate actions to ensure the protection of personal data, including recourse of infringement actions. In this way, the Commission has allocated grants to support new Data Protection Authorities in the organization for awareness-raising activities that will start from July 2018 and will continue in 2019.

The Commission will take stock of the Regulation implementation after one year, in May 2019.

At the same time, the European Data Protection Board (EDPB) became operational and has succeeded the Article 29 Working Party. The EDPB is an independent EU decision making body with legal authority created by the GDPR. For its part, the EDPB is ready to fully enforce the GDPR. On the 25th of May, in the morning, Ms Jelinek, former head of Austria’s data protection authority, was elected as Chair of the EDPB. The new EDPB’s website is also fully operational at this link.

Don’t Neglect Physical Safeguards as Part of HIPAA Security Compliance

By Lauren M. Ramos on Posted in Data Security, Health Information, HIPAA

The HIPAA Security Rule requires covered entities and business associates to implement physical, administrative, and technical safeguards to protect protected health information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance warning that “essential” physical security is often overlooked.

A thorough and compliant HIPAA Security Rule risk analysis must include a review of the entity’s implementation of physical safeguards. The Security Rule requires that covered entities and business associates address facility access controls, receipt and removal of devices containing ePHI, and restrict access to workstations containing ePHI to authorized users. “Workstations” include not only desktop and laptop computers, but also any other electronic media and portable electronic devices. Tablets and smartphones must be considered if they contain or can access ePHI. HIPAA permits entities to tailor physical security according to the size and complexity of the entity’s operations, but some level of physical security will always be necessary.

OCR’s recent guidance focuses on restricting access to workstations. Access controls are most commonly associated with technical safeguards like unique usernames, stringent password requirements, and tracking user activity. HIPAA also requires that entities physically protect workstations that contain or access ePHI. For example, facilities and rooms where workstations are located should be adequately secured with locks and/or other regulated entry systems. Security cameras or guards might also be appropriate for certain entities. Device locks are ideal for laptops and other small devices that can be easily removed from their location. OCR emphasizes that physical safeguards do not have to be expensive or complex – security measures can be low cost or free, and as simple as positioning workstation screens away from public areas or using privacy screens.

In the digital age, it is easy to ignore some of the simplest and most cost-efficient measures to prevent HIPAA risk and liability. OCR’s guidance makes it clear that OCR will not ignore physical safeguards in evaluating HIPAA compliance. In fact, OCR notes that several settlements for alleged HIPAA violations have involved concerns over workstation security.

OCR urges covered entities and business associates to develop a physical security strategy by (1) taking an inventory of all electronic devices, (2) evaluating the location of the devices and whether they should be relocated, (3) assessing what physical security controls are currently in place and what additional controls could be added, (4) putting policies in place and training employees on physical security, and (5) posting signs and notices as reminders about physical security. Covered entities and business associates should follow these steps and continuously monitor physical safeguards as part of a comprehensive HIPAA compliance program.

State Regulators Announce Cryptocurrency Crackdown

By Nicholas B. Lewis and Brian C. Wanglin on Posted in Cryptocurrency, Securities and Exchange Commission

This post originally appeared in our sister publication, Subject To Inquiry.

On May 21, the North American Securities Administrators Association (NASAA) announced a massive and coordinated series of enforcement actions by U.S. state and Canadian provincial regulators to combat fraudulent practices involving cryptocurrency-related investment products.

As cryptocurrencies have gained in popularity, companies have increasingly turned to a method known as an initial coin offering (ICO) to raise capital. ICOs, however, are ripe for potential fraud. As the Washington Post has explained, “consumers face higher risks of being misled at a time when the intense demand for bitcoin has prompted many retail investors to take extreme steps to gain exposure to the currency…”

Given ICOs’ high risk of fraud, state regulators are increasingly scrutinizing such offerings as well as other practices involving cryptocurrency-related investments. In fact, according to NASAA, state regulators have opened nearly 70 inquiries and investigations into cryptocurrency-related companies. Moreover, there are 35 pending or completed enforcement actions related to ICOs or cryptocurrencies since the beginning of May. In short, state agencies are using state securities laws to crack down on fraud and deception in the cryptocurrency market.

These coordinated state actions have caught the attention of federal regulators as well. U.S. Securities and Exchange Commission (SEC) Chairman Jay Clayton issued a statement praising the NASAA for taking action. Chairman Clayton warned “fraudsters in this space that many sets of eyes are watching, and that regulators are coordinating on an international level to take strong actions to deter and stop fraud.” Chairman Clayton further reminded investors that “regulators are committed to protecting investors in these markets.”

As the recent NASAA announcement and SEC Chairman Clayton’s comments demonstrate, regulators in the United States and abroad are increasingly turning their attention to the cryptocurrency market. The intensifying spotlight on ICO’s and cryptocurrency should encourage companies pursuing an ICO or other activities involving cryptocurrency-related investments to seek legal counsel and to comply with all state laws, federal laws, and SEC regulations.

Retailers, Consent and the GDPR: Is Your Business in Breach?

By Alice O'Donovan on Posted in GDPR, Other, Retail

After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.

Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.

Under the GDPR:

  1. Businesses must ensure that an individual consents to the processing of their personal data by clear, affirmative action, establishing a: (a) freely given; (b) specific; (c) informed; and (d) unambiguous indication of agreement.
  2. Acquiescence (e.g., failing to un-tick a pre-ticked box) will not constitute consent.
  3. Businesses must be able to demonstrate that the individual consented and consent was freely given.
  4. A transaction cannot be conditional on consent that is not necessary to the transaction.
  5. Individuals must be able to withdraw their consent to the processing of their data at any time. It must be as easy to withdraw consent as it was to provide it.

Common retail practices that should be reviewed:

These common practices could place retailers at risk of a fine.

  1. At the cash register
    • Are staff in shops instructed to ask customers for personal data at the cash register?
    • How do they ask for it and how is it used?
    • Is it shared with a third party?
    • Staff must (a) make clear to customers that they can choose not to provide their information and (b) explain exactly what the data will be used for. The request must not be presented to the customer as if it is a condition of sale.
  2. Online
    • Is customers’ personal data retained and used after they place an order? Is it sold or shared with third parties?
      • How is customers’ consent to this obtained?
      • Are consent provisions hidden in ‘small print’?
    • Information required for consent must be clear, distinguishable from other matters, and provided in an intelligible and accessible form.
    • Are pre-ticked boxes or confusingly phrased boxes used to obtain customers’ consent?
      • Pre-ticked boxes will not be sufficient – failure to object is not consent.
  3. Withdrawal of consent
    • Customers have the right to withdraw consent at any time. Withdrawing consent must be (a) free and (b) as easy as it was to provide it.
    • All communications should contain a free ‘unsubscribe’ link, telephone number or email address. Many retailers breach this requirement when marketing by post.
  4. Targeted data lists
    • Are data lists used to contact potential customers?
    • Data lists will still be permissible after 25 May 2018, if consent has been validly obtained. The purchaser of the data is equally responsible for ensuring that valid consent is in place.
    • Were data lists purchased before 25 May 2018?
      • Do not continue to use lists unless you are satisfied that valid consent is in place.

Case Study:

A random review of ten unsolicited marketing catalogs received during September 2017 indicated the following:

  1. None advise the recipient where the sender obtained their data.
  2. Five make no mention whatsoever of how the customer can unsubscribe or opt out of future mailings.
  3. Of the five that do mention unsubscribing:
    • One invites the customer call a UK landline.
    • One invites the customer to subscribe to the Mail Preference Service (MPS); and
    • Three say in small letters “If undelivered or to unsubscribe, please return to…”.

Arguably, none of these comply with the GDPR’s requirements.

How should you approach marketing?

The GDPR does not have to hinder marketing campaigns. However, retailers should:

  1. Ensure that campaigns are permission-based;
  2. Ensure that it is clear to individuals how data will be used;
  3. Provide a simple, free way for customers to unsubscribe;
  4.  Ask for consent to pass details to third parties, and name those third parties;
  5. Record when and where consent was obtained and what it covers; and
  6. Buy data lists from reputable sources and seek an audit trail showing that consent has been validly obtained.

 

Between a Rock and a Hard Place: SEC Disclosure Analysis in Light of Yahoo

By Alexander Madrid, David S. Wolpa, Andrew Konia and Jane Whitt Sellers on Posted in Securities and Exchange Commission

On April 25, the Securities and Exchange Commission announced a settlement with Yahoo that constituted its first enforcement action against a public company for failing to disclose a data breach.

This settlement demonstrates that companies in post-data breach environments must engage in a thorough, fulsome analysis of whether to disclose the cybersecurity incident in their public filings. In conducting this analysis, companies face a difficult choice: disclose and face public and investor backlash, or decline to disclose and potentially face later regulatory scrutiny and/or class action stockholders’ litigation.

To read McGuireWoods’ analysis of what the Yahoo settlement can teach about proper disclosure analysis and the factors that a company must consider when conducting this critical task, download a copy of our white paper, titled “Between a Rock and A Hard Place: SEC Disclosure Analysis in Light of the Yahoo Settlement.”

2018 Virginia General Assembly Wrap-Up: Modest Privacy-Related Bills Adopted

By Chris Nolen on Posted in Legislation, Privacy, Tax

The 2018 Regular Session of the Virginia General Assembly recently concluded after considering approximately 3700 bills and resolutions during the 60-day session. Several privacy-related bills were on the legislative agenda, but few were enacted into law.

Tax Return Data

As highlighted in January, the General Assembly this year continued its efforts to address the growing problem of criminals filing fraudulent tax returns using stolen identities of unsuspecting taxpayers. Last year, Virginia adopted legislation that requires employers and payroll service providers to provide breach notification to the Attorney General of Virginia when those entities experience an unauthorized access or acquisition of unredacted and unencrypted data containing a taxpayer’s identification number and certain payroll information. Virginia Code Ann. § 18.2-186.6(M).

This year, Virginia enacted legislation aimed at imposing certain obligations on state tax return preparers. Tax return preparers are not required to comply with Virginia’s data breach notification statute. However, effective July 1, 2018, Virginia tax return preparers are required to notify the Virginia Department of Taxation:

“without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted return information that compromises the confidentiality of such information maintained by such signing income tax return preparer and that creates a reasonable belief that an [unprotected] version of such information was accessed and acquired by an unauthorized person and that causes, or such preparer reasonably believes has caused or will cause, identity theft or other fraud.” Acts of Assembly, Chapter 283

Additionally, if a breach occurs, the state tax return preparer is required to provide the Department information concerning the taxpayers whose information was accessed or obtained by unauthorized persons and certain information about the preparer.  It is estimated that the enactment of this legislation will save Virginia approximately $300,000 by avoiding the issuance of unrecoverable fraudulent refunds.

Other Privacy-Related Legislation

Additional bills related to privacy include (partial listing):

  • PASSED: Clarifying that certain student directory information held by institutions of higher education may only be released in limited circumstances in response to Freedom of Information Act requests. HB1
  • PASSED: Reduction in the amount a credit reporting agency may charge a consumer to place a security freeze on his credit report from $10 to $5. 1027 SB16
  • DEFEATED: Eliminating the ability of a credit reporting agency to charge a consumer a fee to place a security freeze on the consumer’s credit report. HB6; HB86; HB1232; SB18; SB22; (partial listing)
  • DEFEATED: Prohibiting companies providing broadband internet access services in the Commonwealth from blocking, throttling, engaging in paid prioritization and interfering or unreasonably disadvantaging a users’ ability to access broadband internet access. The bill also would have limited a broadband service providers’ disclosure of personally identifiable information about consumers to circumstances involving certain court orders, subpoenas or for authorized law-enforcement activities. SB948
  • DEFEATED: Limiting state contracts for internet access services only to those services providers that agree to protect certain personally identifiable information and adhere to certain internet neutrality provisions. Proposed to prohibit internet access service providers that provide such service to a public body from blocking, throttling or providing preference to entities that pay for the optimization of data transfer rates. Additionally, the bill proposed to prohibit such service providers from knowingly disclosing personally identifiable information about users unless such disclosure is pursuant to certain court orders, subpoenas or for authorized law-enforcement activities. SB949
  • DEFEATED: Requiring consumer reporting agencies to disclose within 15 days a breach of the security of a computerized data system, when such disclosure is required by Virginia’s data breach notification statute, § 18.2-186.6. The bill provides that failure to report is a violation of the Virginia Consumer Protection Act. HB1588
  • DEFEATED: Prohibiting state agency employment applications, under certain circumstances, from inquiring whether a prospective employee has been arrested or charged with, or convicted, of any crime (a.k.a. “ban-the-box”). SB252; HB1357
  • DEFEATED: Prohibiting a prospective employer (i) from requiring a prospective employee to disclose his wage or salary history or (ii) attempting to obtain such information from the person’s current or previous employers. HB240
  • DEFEATED: Allowing the use of drones by law-enforcement without obtaining a warrant under certain circumstances. HB1290
  • DEFEATED: Prohibiting a provider of electronic communication or remote computing service from disclosing location data to an investigative or law-enforcement officer except pursuant to a search warrant. HB604
  • DEFEATED: Directing a legislative commission to study how local governments report data breaches, identify ways to promote efficient and timely reporting of such breaches by local governments and to develop best practices to assist localities with cyber security. HJ39

Virginia’s approach on privacy issues this past session reflects its approach on most issues – a measured response in response to actual problems. This approach is in contrast to some states enacting policies in anticipation of future issues or without a solid indication of potential harm to consumers. In the case of the security freeze legislation, the enacted bill was in response to a significant data breach last year involving one of the big three credit reporting agencies. With regard to protecting certain student directory information, the General Assembly acted in response to the perceived misuse of such information by political campaigns. Finally, the legislature continued its efforts to address the continuing problem of tax fraud by attempting to cut off avenues for would be identity thieves to file false state income tax returns.

State and Federal Power Struggle Over Data Privacy and Security

By Clare M. Lewis on Posted in Data breach, FTC enforcement

U.S. Senate leaders may be close to reaching an agreement on a legislative proposal that would establish a national data breach notification and security standard (the Data Acquisition and Technology Accountability and Security Act) which would streamline nationwide reporting requirements for businesses.  However, there are a plethora of reasons it may not make much progress through Congress this year. The current 49-state, soon to be 50-state, patchwork of breach notification laws that are all different in various meaningful ways makes compliance with a nationwide breach (which is what typically occurs in companies) quite tedious.  This proposed federal legislation would set a national standard for securing customer data and reporting data breaches.

Similar legislation has stalled in Congress for nearly a decade, but recent events, including numerous high profile data breaches and other events where data was misused, the EU Parliament’s approval of the General Data Protection Regulation (GDPR) with an enforcement date of May 25, 2018, and California’s proposed ballot initiative on privacy (improving consumers’ rights regarding collection and usage of their data), have catalyzed Congress once more.  Last week, senators introduced legislation called Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT Act).  The bill requires explicit opt-in consent from users to share, use, or sell any personal information, notification any time data is collected, shared, or used, and new security and breach reporting requirements. The CONSENT Act relies on the Federal Trade Commission to enforce any violations of those new rules.

There are many obstacles to enacting federal data privacy and security legislation, including disputes over preemption of state law, reasonable security standards, penalties, and exemptions.  After Republicans took control of the White House and both chambers of Congress last year, federal regulatory activity diminished, and cities and states have stepped in to fill the void.  The attorneys general of 31 states are pressing lawmakers to scrap the Data Acquisition and Technology Accountability and Security Act, arguing that it waters down more stringent state laws requiring prompt notification of breaches to consumers.  Since South Dakota passed a new law in March, every state but Alabama has data breach laws in effect which require companies to notify consumers when their personal information hacked.  And last week Alabama’s governor signed the final state data breach law which goes into effect on May 1, 2018.  The attorneys general argue that these state laws have catalyzed greater transparency about data breaches and improved steps companies can take to prevent breaches from occurring again.

In addition to state laws, some cities have taken affirmative steps regarding data security.  NYC Mayor de Blasio announced the launch of a cybersecurity initiative, NYC Secure, which is supposed to defend New Yorkers from malicious cyber activity on mobile devices, public Wi-Fi networks, and beyond.  The first program is a smartphone protection app which issues warnings to users when suspicious activity is detected on their mobile devices.

Stay tuned to see who wins the state versus federal power struggle over data privacy and security—exciting times are ahead!

Federal Enforcement Isn’t the Only HIPAA Concern—States Flex Their Muscles

By Timothy R. Loveland and Nathan A. Kottkamp on Posted in HIPAA

Despite the lack of significant settlements for HIPAA enforcement by the federal Office of Civil Rights (OCR) so far in 2018, states have not hesitated to patrol privacy and security breach activity and take action against perceived violations.  Indeed, under the HITECH Act, state attorneys general have their own HIPAA enforcement authority.  Two recent settlements suggest that states are ramping up their enforcement activities.

The New Jersey Attorney General recently announced a settlement of nearly $418,000 involving physician network Virtua Medical Group, P.A. (Virtua) for an alleged breach of privacy involving 1,654 patients, most of whom reside in New Jersey.  The settlement followed an investigation by the New Jersey Division of Consumer Affairs, which concluded that an online server misconfiguration during a software update by a third party vendor and business associate of Virtua rendered patient medical records and related electronic personal health information (ePHI) to be viewed online and indexed by search engines.  The New Jersey Division’s investigation determined that the third party vendor and business associate of Virtua discovered the breach in January 2016 and reinstated the security protections put in place prior to the update, but did not notify Virtua upon its discovery of the breach.  The resulting settlement stemmed allegations that Virtua failed to conduct a comprehensive analysis of risks relative to PHI sent to the third party vendor, failed to safeguard against the risk of disclosure, failed to set forth sufficient procedures requiring security measures necessary to mitigate the risk, and failed to implement awareness and training programs for workforce members related to impermissible disclosures.

Furthermore, in March 2018, the New York Attorney General announced a $575,000 settlement with EmblemHealth and wholly-owned subsidiary Group Health Incorporated (EmblemHealth), following an incident in which 81,122 social security numbers were disclosed on a mailing.  In EmblemHealth’s case, a Medicare Prescription Drug Plan Evidence of Coverage notice included a mailing label with the policyholder’s social security number on it.  In addition to the settlement, EmblemHealth is required to implement a corrective action plan.

These settlements serve as reminders to covered entities and business associates that states may aggressively enforce data privacy and security violations, separate from what the OCR does.  Some state laws (such as those in New Jersey and New York) may not expressly target PHI breaches in the same manner as HIPAA and other federal data privacy and security regulations, but they may have similarly sharp teeth.  Furthermore, state enforcers may share information with and involve federal enforcers in activities constituting a violation of such federal regulations.  In addition, covered entities should thoroughly examine business associate agreements to ensure that third party vendors bear the financial risk for failures to provide notice regarding breaches and to maintain adequate security measures to mitigate against the risk of disclosures.

HIPAA in Due Diligence (Part III): Risk Mitigation Strategies

By Kate Waters Hardey, Sara Helene Shanti and Timothy R. Loveland on Posted in HIPAA

Health Information Highlight

Welcome back to our three-part series examining ways to efficiently identify, address and mitigate gaps in HIPAA compliance in transaction diligence. In Part I, we discussed four key diligence questions upon which buyers should focus their efforts in a transaction. In Part II, we reviewed considerations related to storage of and access to diligence materials, particularly in the context of using a data room or other cloud-based server. Here, we address potential risk mitigation strategies when HIPAA issues are identified in the course of diligence.

It is not unusual to identify gaps or deficiencies in HIPAA compliance during the diligence process. These deficiencies can range from a lack of robust policies, procedures and employee training to inappropriate use of texting and cloud storage or failure to conduct a required security risk assessment. Several years ago when HIPAA enforcement risk was more of a secondary concern, many buyers did not take a proactive approach to remediation and assumed these areas could be addressed in the ordinary course. Given the uptick in enforcement against both covered entities and business associates and ever-increasing fines, it is important to take a proactive approach to quickly address compliance gaps. When a buyer encounters compliance gaps, there are various ways to mitigate this risk, several of which are discussed below:

  1. Require Compliance Actions as a Pre- or Post-Close Condition. Depending on the level of risk and exposure, buyers should consider whether addressing compliance gaps should begin prior to closing. In other instances, it may be reasonable to address compliance post-close; however, it is important to ensure that any post-close compliance is completed within a specified time, such as 30, 60, 90 or 120 days post-close.
  2. Indemnification, Escrows & Representation and Warrantee Insurance. Buyers should consider whether it is appropriate to obtain specific indemnification or escrow of funds to cover potential HIPAA non-compliance. When negotiating indemnification provisions, a buyer should consider applicable dollar caps, floors and the survival period to ensure appropriate coverage for potential future liability.
  3. Ongoing Settlements. If the seller is involved in any government or third party investigation or settlement negotiation related to HIPAA compliance, buyers should consider obtaining a waiver of liabilities and rights from the government or third party prior to close. Buyers should also ensure that the indemnification provisions from the seller are modified so as to adequately protect the buyer from undue risk or exposure.

With the continued risk of HIPAA enforcement, privacy and security diligence should not be a “check the box” activity. Buyers should fully understand the scope of potential risk in the early stages of transaction diligence, take steps to adequately mitigate that risk and understand the cost of protecting the target’s greatest assets.

We use cookies to enhance your experience of our website. By continuing to use this website, you agree to the use of these cookies. For more information and to learn how you can change your cookie settings, please see our policy.

Agree