This week, California Attorney General (AG) Xavier Becerra released the draft regulations for the California Consumer Privacy Act (CCPA). The rules set forth procedures for businesses covered under the CCPA to follow for compliance. The rules can be found here.
Nevada Consumer Privacy Law – In Effect
Social media posts have become so common and reflexive that people often fire off posts without appropriately considering the consequences. This can be costly on multiple fronts. In the health care context, beyond the risk of losing patients (and the revenue they bring), inappropriate posts can result in Health Insurance Portability and Accountability Act (HIPAA) violations. Indeed, as the Director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has stated, “Social media is not the place for providers to discuss a patient’s care… [doctors] and dentists must think carefully about patient privacy before responding to online reviews.” Of course, this warning is not limited to dentists; all health care providers should take heed.
Continue Reading From Yelp to YIKES! Dental Practice’s Social Media Posts Result in $10,000 HIPAA Settlement
October 1st marks the beginning of National Cybersecurity Awareness Month (NCSAM). During October, government and industry work together to raise awareness of cybersecurity issues and help promote educational materials. This year, the Department of Homeland Security (DHS) is focusing on, “citizen privacy, consumer devices, and ecommerce security.” To assist with NCSAM efforts, the DHS
In 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided a variety of guidance to address the importance of honoring the right of patients to have access to their medical information and not to be over-charged for exercising that right.
Earlier this week, the OCR announced an enforcement action and settlement under its Right of Access Initiative against Bayfront Health St. Petersburg (Bayfront) in Florida. This settlement, the first of its kind under OCR’s initiative to enforce patients’ rights to promptly receive copies of their medical records without being overcharged, has cost Bayfront $85,000. The 480-bed hospital is also required to undertake a corrective action plan that includes a one-year period of monitoring by OCR.
Continue Reading OCR Proves it is Serious About HIPAA’s Right of Access
As discussed here, the California Consumer Privacy Act of 2018 (CCPA), in its current state, likely applies to businesses that collect the personal information of their employees. AB 25, which passed in the California Assembly on May 29, 2019, sought to address this issue by removing employees and job applicants from the CCPA’s definition
With relatively minimal fanfare, Nevada passed Senate Bill 220 (SB-220), making it the second state to offer consumers the ability to opt out of the sale of their personal information. SB-220 is narrower than California’s Privacy Law (CCPA), but it becomes effective on October 1, 2019 –before CCPA.Continue Reading Privacy and Cybersecurity State Law Tracker: Nevada Consumer Privacy Law
Governor Mills signed, “An Act To Protect the Privacy of Online Customer Information,” (LD- 946) which requires Internet service providers (ISPs) to obtain opt-in consent prior to, “using, disclosing, selling or permitting access to [a consumer’s] prohibited personal information.” LD- 946, goes into effect July 2020.
Continue Reading Privacy and Cybersecurity State Law Tracker: Maine Consumer Privacy Law
***Update – Amendments to the existing data breach notification law are now in effect.***
New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The law amends the existing data breach notification law and adds new cybersecurity requirements. Amendments to the existing data breach notification law take effect Oct. 2019. The SHIELD Act cyber provisions take effect in March 2020.
The Governor also signed into law the Identity Theft Prevention and Mitigation Services Act (Act). The Act requires that credit reporting agencies suffering a breach involving Social Security numbers must provide five years of identity theft prevention and mitigation services to affected consumers. The Act becomes effective in September 2019.
Continue reading for a summary of the SHIELD Act and how it could impact your business.
Continue Reading Privacy and Cybersecurity State Law Tracker: NY SHIELD Act and Information Governance
On April 30, 2019, the United States Department of Health and Human Services (HHS) published a notice of enforcement discretion that lowers most of the annual caps on civil money penalties (CMP). HHS may assess against Covered Entities and Business Associates for violating the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). Specifically, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers that progressively increases from the first to the fourth penalty tier and maxes out at $1.5 million per violation per year.
Continue Reading HHS Lowers Annual Caps on Most HIPAA CMPs
The Office for Civil Rights (OCR) recently released a Fact Sheet regarding “Direct Liability of Business Associates.” In this Fact Sheet, OCR reminds entities that, as of 2009, HIPAA business associates have been directly liable for certain violations of the HIPAA rules. By way of background, business associates are various entities that require “protected health information” to support HIPAA “covered entities” (health care providers, health care insurers, and health care clearinghouses) or other business associates in carrying out various functions.
Continue Reading OCR Issues Fact Sheet On HIPAA Business Associate Liability