By almost 1.5 million votes, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”).  The CPRA amends and expands the California Consumer Privacy Act of 2018 (“CCPA”) and is affectionately referred to as “CCPA 2.0.”  While the CPRA’s requirements do not take effect until January 1, 2023, the CPRA ushers in significantly more privacy protections for California residents, while also amending some of the CCPA’s jurisdictional requirements.  Below, we touch on some of the CPRA’s requirements.

First, from a jurisdictional standpoint, previously one prong of the CCPA’s jurisdictional test was if a business reached 50,000 California consumers, then it was subject to the CCPA.  Practically speaking, this meant if a business had a website that received on average 137 hits per day from California, it could be subject to the CCPA’s requirements.  Under the CPRA, this threshold is bumped up to 100,000 consumers/households.  This change benefits small and midsize businesses, which otherwise would not meet the other jurisdictional requirements of having revenue above 25 million dollars per year, or a business that receives 50% of its income from the sale of personal information of CA consumers.

Second, similar to GDPR, the CRPA establishes a new category of “sensitive personal information.”  Under the CPRA, sensitive personal information includes an individual’s precise location, race, religion, sexual orientation, and specified health information, among others. With regard to this sensitive information, individuals will have greater control.  The CPRA will allow individuals to opt out of a business’ use or disclosure of such sensitive personal information.

Third, the CPRA strengthened protections for minors, as it triples fines related to violations for minors under 16.

Lastly, the CPRA establishes the California Privacy Protection Agency.  This agency will enforce and implement consumer privacy laws and can administer fines for businesses that violate California’s privacy laws.

Much like the CCPA, we expect the CPRA to evolve and change prior to the January 1, 2023 implementation date.

Today, the FBI, together with the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA), put out an alert advising that they have credible information of an imminent cybersecurity threat to US hospitals and healthcare providers.  The alert can be found here.  Should you have any questions or concerns regarding this alert, please contact Elizabeth Galletta at or Daniel Kagan at

As the Covid-19 pandemic continues throughout the world, many workplaces have gone virtual. While the advent of technology makes a remote workforce possible, the newly remote workforce brings with it additional challenges to a company’s information technology (“IT”) systems. However, proper policies and procedures that govern the security of IT systems and employees’ use of such systems can go a long way to help protect an organization.

Continue Reading Covid-19 and the Challenges of a Remote Workforce

On March 3, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) signaled to covered entities of all sizes that they need to take their HIPAA obligations seriously.  OCR entered into a settlement and corrective action plan with a small physician practice for $100,000 to settle alleged violations of the HIPAA Security Rule.  This enforcement action is an example of OCR enforcing HIPAA’s requirements on smaller covered entities.  OCR specifically noted that this practice sees approximately 3,000 patients per year. Continue Reading A Reminder That Covered Entities Of All Sizes Need To Comply With HIPAA Security Rule

Last week, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed a civil monetary penalty (“CMP”), to the tune of $2.15 million, against Jackson Health System (“JHS”).  The CMP stemmed from JHS’ numerous HIPAA violations that occurred from 2013 through 2016.   Continue Reading A HIPAA Compliance Program “In Disarray” Leads to OCR Imposing a $2.15 Million Civil Monetary Penalty

There is no doubt that social media has its benefits, especially for medical practices that have come to use it for marketing and advertising.  However, risks are lurking.  On October 2, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) entered into a $10,000 settlement with a dental practice (the “Practice”) for disclosing protected health information of a patient when responding to a review on a Yelp page.

Continue Reading OCR Fines Dental Practice $10,000 For Social Media Disclosures

We are 100 days away from the California Consumer Privacy Act (“CCPA”). Are you ready? The CCPA, the first comprehensive United States privacy law takes effect on January 1, 2020, with an enforcement date of July 1, 2020.

Does CCPA Apply to My Business? Continue Reading 100 Days from CCPA, Is Your Business Ready?

Apparently, that answer is yes. According to Amazon, its virtual personal assistant, Alexa, can now transfer and handle protected health information (“PHI”) in accordance with HIPAA.  Amazon expects Alexa to handle various healthcare related tasks, including scheduling urgent care appointments, checking health insurance benefits and reading blood-sugar tests, among others.  To create these new services, Amazon collaborated with various companies, including Cigna and major hospitals.  When it comes to privacy, Amazon and its partners embedded various privacy barriers into the new services, including voice codes or requiring a user to login with passwords for existing health-care specific accounts.

As technology and health care continue to become more intertwined, I would not be surprised if Apple and Google follow Amazon’s lead, rolling out similar products for Siri and Google Home.  Additionally, the types of health care services offered through these virtual personal assistants as well as our smart phones will likely only grow in breadth.  It no longer seems far-fetched that you may communicate and transmit data to your health care provider or pharmacy by talking into a speaker in the comfort of your home.  The question becomes what happens to all the information that you are saying aloud?  This will be service-dependent, but it is clear that Amazon, among other tech companies, will now be maintaining your electronic PHI.

This represents a seismic shift from the information maintained by your everyday fitness tracker and comes with an entire new set of compliance responsibilities.  Thus, while HIPAA is both scalable, depending on the scope of the covered entity, and flexible to adapt to new technologies, these tech companies may soon realize that HIPAA has real compliance costs as well.  In today’s age of big data breaches, even a minor slip-up, for example leaking usernames of a specific health care service through the tech provider’s platform, could ultimately prove to be very costly.

Think your business is too small to risk a cyber security threat? Do you have:

  • A point-of-sale cash register?
  • A credit card authorization system?
  • An email account?
  • Old software?
  • Any computer connected to the internet, ever?

We’ll explain the ways you never dreamed that you were at risk. Continue Reading Upcoming Seminar in Connecticut: Cyber Weapons You Must Deploy to Defeat the Criminals Stalking Your Small Business (and a Battle Plan to Launch Today), now known as Tik Tok, an app popular with children and teenagers, settled a lawsuit with the FTC under the Children’s Online Privacy Protection Act (“COPPA”) to the tune of $5.7 Million Dollars.  This sum is the largest civil penalty the FTC has ever obtained under COPPA.  Continue Reading Popular Children’s App Settles FTC COPPA Claims