In response to increased cybersecurity threats and significant regulatory enforcement actions, on Dec. 27, 2024, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking seeking to enhance cybersecurity protections under the Security Rule implemented pursuant to the Health Insurance Portability and Accountability Act of 1996. While the proposed rule is
OCR Continues Holding Healthcare Entities Accountable for Protected Health Information Breaches
On Feb. 6, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $4.75 million settlement with New York non-profit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows two other recent investigations that led to OCR’s first-ever settlements stemming from ransomware and phishing attacks.
Continue Reading OCR Continues Holding Healthcare Entities Accountable for Protected Health Information Breaches
Illinois Supreme Court: Certain Collected Biometric Data Is Exempt From BIPA Protections
On Nov. 30, the Illinois Supreme Court, in Mosby v. The Ingalls Memorial Hospital et al., held that certain healthcare providers’ biometric data, used for healthcare operational purposes under the Health Insurance Portability and Accountability Act, is not protected under the Illinois Biometric Information Privacy Act. Read on for details about this development and
Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for Businesses
Over the past year, website operators have experienced a proliferation of lawsuits under the Federal Video Privacy Protection Act (“VPPA”), a Reagan-era statute prohibiting the nonconsensual disclosure of an individual’s video tape rental history. Despite its nondigital origin, litigation under the VPPA has successfully targeted the ubiquitous use of tracking technologies on businesses’ websites, creating a risk of significant class-action damages under VPPA’s $2,500 per violation statutory-damages clause. Read on for more details about the risk of litigation under the VPPA and how best to avert it.
Continue Reading Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for BusinessesIowa Joins Data Privacy Vanguard
On March 29, 2023, Iowa became the latest in a small but growing number of states to enact comprehensive data privacy legislation. Like its counterpart laws in California, Connecticut, Colorado, Utah and Virginia, Iowa’s data privacy law – formally titled “An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions” (“IDPL”) – provides a detailed framework regulating the collection and use of consumer personal data, and affords consumers various rights as to data collected about them. Fortunately, many of the requirements imposed by the IDPL, which goes into effect on January 1, 2025, are largely similar to those applicable in the other five states, and especially those in Connecticut, Colorado, Utah and Virginia.[1]
Continue Reading Iowa Joins Data Privacy Vanguard
The Door Opens for Astronomical Damages Under BIPA
An Illinois Supreme Court ruling on February 17, 2023 opened the door to astronomical damages under the Illinois Biometric Information Privacy Act (“BIPA”). Enacted in 2008, BIPA provides for a private right of action against an entity that collects or discloses a person’s biometric identifier without opt-in consent.
Continue Reading The Door Opens for Astronomical Damages Under BIPAFive Years It Is — Illinois Supreme Court Decides BIPA Statute of Limitations
The Supreme Court of Illinois relied on legislative intent, policy concerns and precedents to hold that all Biometric Information Privacy Act claims are subject to a five-year statute of limitations. Read on to learn more about the Tims v. Black Horse Carriers, Inc. opinion and how it may impact businesses and their BIPA decisions going
HHS Issues New HIPAA Guidance on Audio-Only Telehealth Services
During the pandemic, audio-only telehealth was a critical tool to provide care to populations that could not use video during telehealth sessions, due to factors such as lack of financial resources, disability or lack of sufficient broadband coverage.
New HHS guidance outlines steps covered entities should take to ensure that their audio-only telehealth practices are
OCR Seeks Input on “Recognized Security Practices” as Mitigating Factor for HIPAA and HITECH Fines
In 2021, the Health Information Technology for Economic and Clinical Health Act (HITECH) was amended to add “recognized cybersecurity practices” as a mitigating factor when determining fines, audits and remedies against covered entities and business associates for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human
Twitter Fined $150M for Violating FTC Order on Misrepresenting Privacy and Security Practices
On May 25, the Federal Trade Commission announced that it, along with the Department of Justice, fined Twitter $150 million for violating a 2011 agreement with the FTC in which Twitter promised to protect the integrity of nonpublic consumer information, including users’ phone numbers and email addresses.
Read on for details about the alleged violations