In recognition of the vulnerability of mobile devices and the daily use of those devices in health care, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) released a practice guide earlier this month entitled Securing Electronic Health Records on Mobile Devices (NIST Special Publication 1800-1). NIST and NCCoE specifically examined physician use of a mobile device (i.e. smart phone or tablet) to send a referral or an electronic prescription. Using open-source tools and commercially available technologies, NIST and NCCoE offer technical guidance on how to ensure that such mobile device use complies with the HIPAA Security Rule and is in line with NIST best practices. The 260-page practice guide has something for everyone ‒ high-level summaries for business leaders and technical guidance for information security and technology teams.
On August 3, 2018, the Governor in Ohio signed into law the Data Protection Act, which provides businesses with an affirmative defense to data breach claims if the business was in compliance with reasonable security measures at the time of the breach. Specifically, a business would have to show that it creates, maintains and complies with “a written cybersecurity program . . . that reasonably conforms to an industry recognized cybersecurity framework.” Acceptable standards include the NIST framework and compliance with PCI requirements. For businesses subject to regulatory standards, evidence of compliance with those regulatory standards, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach Bliley (GLBA), will also provide protection. Many believe that this legislation will encourage businesses in Ohio to allocate more resources for cybersecurity and data protection programs.
On July 23, 2018, Denmark’s data protection agency announced that companies must encrypt all emails transmitting sensitive personal data. This new rule goes into effect January 1, 2019, giving companies that do business in or with Denmark approximately five months to implement encryption technologies for their email systems. This is a strict interpretation of Article 9 of GDPR; however, one facet of GDPR is that each European Union country can interpret and determine how companies must comply with the overarching GDPR principles and requirements. Continue Reading Denmark Implements Email Encryption Requirement, What Countries Will Follow?
The much-anticipated Ponemon Institute 2018 Cost of Data Breach Study: Global Overview is out and, not surprisingly, the cost of a data breach continues to rise. In this country, the cost is up $8 per record, going from $225 per record last year to $233 per record this year. A more alarming jump, however, is the cost of a data breach in the health care sector, which is up to $408 per record from $340 just one year ago. In terms of controlling costs, the study provides solid evidence that swift response and incident response planning save money. Continue Reading Data Breach Costs Up; Planning and Swift Response Save Money
On July 5, 2018, the EU Parliament passed a non-binding resolution encouraging the European Commission to suspend the EU-US Privacy Shield Program unless the US is fully compliant by September 1, 2018. The EU Parliament believes that the current Privacy Shield program does not provide an adequate level of protection required by European law. This comes roughly two years after the European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law. But a lot has changed in two years. Continue Reading EU Commission Recommends Suspension of Privacy Shield; Recent FTC Efforts May Be Too Little Too Late
You could almost hear the cheers of plaintiffs’ class action lawyers in California last night, as California’s governor signed the most sweeping privacy law this country has seen to date. Notably, the law gives consumers the right to statutory damages in the event of a breach if the company holding the consumer’s information failed to implement reasonable security measures. Those statutory damages are not less than $100 and not more than $750 “per consumer per incident or actual damages, whichever is greater.” Continue Reading California Gets Its Very Own GDPR with Statutory Damages
Today, in a 5-4 decision, the US Supreme Court ruled that the government’s acquisition of information regarding an individual’s location based on a cell phone record amounts to a Fourth Amendment search and generally requires a warrant. In Carpenter v. United States, the government obtained nearly 13,000 location points on Carpenter’s movements over a 127-day period from Carpenter’s wireless carrier under the Stored Communications Act (SCA). The standard for obtaining information under the SCA is much lower than the probable cause showing required for a warrant. The government used these cell phone records to show that Carpenter’s phone was near four locations that had been robbed when those robberies occurred and obtained a conviction. In reversing the decision of the Sixth Circuit and remanding the case, the Court held that individuals have a reasonable expectation of privacy in their physical movements.
Chief Justice Roberts delivered the 119-page opinion for the majority, joined by Justices Ginsburg, Breyer, Sotomayor and Kagan. Justices Kennedy, Alito, Thomas and Gorsuch each filed dissenting opinions.
HIPAA has teeth. On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA. In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital
In March of this year, we told you that the D.C. Circuit Court of Appeals issued a decision in ACA Int’l. v. FCC, wherein the court set aside two FCC interpretations of the Telephone Consumer Protection Act, or TCPA. Specifically, the court ruled that the FCC’s interpretation as to what constitutes an autodialer under the TCPA was unreasonably expansive, and that the FCC’s treatment of reassigned numbers was also overly broad.
On May 22, the United States District Court for the Northern District of Georgia, Atlanta Division, issued a decision further restricting the scope of the TCPA. By way of reminder, the Congress passed the TCPA in 1991 in an effort to curb robo calls. The case involved calls made by a debt collector to a former Comcast customer. She sued, claiming that the calls were impermissible under the TCPA. An essential aspect of the TCPA claim at issue was that the call must be made through the use of an “automatic telephone dialing system”, or ATDS, as defined in the statute. Continue Reading District Court Gives Narrow, Reasonable Scope to TCPA
This week, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the use of HIPAA-compliant authorizations for research based on a mandate in the Cures Act for such guidance. The guidance addresses authorizations and expiration language for future research as well as revocation of the authorization. A copy of the guidance can be obtained here. Continue Reading OCR Issues Guidance on the Use of HIPAA Authorizations for Research